RSS feed for Information security

Introduction

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

With the advent of information systems, information has become the life blood of the modern world. Given its importance, modern organisations aren’t always as careful as they could be with it. Whether it’s their customer details, details of their business transactions or their intellectual property, information is – almost casually – shared when it shouldn’t be.

In this free course, Information security, you’ll explore what it is about information that makes it so valuable.

Given that information security is critical in organisations, this course assumes that you have an organisation that you can study. This could, for instance, be your employer, a professional body, a local shop, a library or even your doctors’ surgery.

This OpenLearn course is an adapted extract from the Open University course M811 Information security.

Learning outcomes

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

After studying this course, you should be able to:

define what information is
appreciate the value of information to the modern organisation
understand the CIA triad of Confidentiality, Integrity and Availability
appreciate the difficulties that arise when valuable information needs to be shared
identify the five leading-edge resources that have up-to-date information on information security.

1 Information: the heart of everything with value

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

In May 2016, Coca-Cola’s shareholders valued the company at almost US $200 billion. Their accountants placed its value at US $24.91 billion (Wolfram Alpha, 2016a).

Why the difference? Is this just accountants being prissy?

Well, no. Accountants like to work on the realised value of the company, called book value; that is the total value of its tangible assets: its property, computers, manufacturing plant etc.

In contrast, shareholders value the things in a company that can make money, called it’s market value. So on top of the tangible assets, their interest includes the information that a company holds. For Coca-Cola, that includes John S. Pemberton’s famous recipe which, according to Coca-Cola’s investors, could be worth anything up to US $175bn.

Activity 1: Coca-Cola’s secret recipe

Using Wikipedia – or a similar online tool – find out what you can about the recipe for Coca-Cola.

Discussion

From Wikipedia (2016a), it appears that the secret of the recipe comes down to the ‘7X formula’, a special blend of oils, herbs and spices such as orange, cinnamon and coriander. Wikipedia lists them and their proportions, but we don’t know for certain whether Coca-Cola actually contains them nor their proportions.

1.1 Social networks

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

Comparing book and market value once again, the information collected by Facebook on their 1.23 billion monthly active users is worth almost a quarter of a trillion dollars (Wolfram Alpha, 2016b). This information includes some (apparently pretty tame stuff) you give when you sign up: your name, city of birth, city of residence, email address. Some you will give as a matter of course, such as relationship status, family members, birthday etc.

However, Facebook’s massive market value is the value to advertisers of the information you give up as you use Facebook to log your life. This includes what you’ve liked and disliked, which restaurants you’ve eaten at (so what foods you like), which sports teams you support (so which sports clothing you might like to buy), which videos you have watched (so which films you might like to buy) etc.

Print media – such as newspapers – once had a monopoly on ad-supported news. Because they printed only one version, in those days they used to say that half of every advertising budget was wasted, you just couldn’t know which half. Now, with Facebook, every advert that is placed in front of you is determined precisely by algorithms; algorithms that use what Facebook know about you to get the best bang-for-the-buck for an advertiser.

Activity 2: The value of information to Facebook

Given the following information about a Facebook user, what value could it have for targeting an advert?

websites visited
companies liked
their current mood
device they’ve accessed the internet from
their credit-card details

Discussion

We came up with:

websites visited: Facebook could offer similar websites
companies liked: Facebook could offer competitors companies’ products
their current mood: Facebook could offer champagne adverts for a user who is celebrating, or man-size tissues to those who are unhappy
device they’ve accessed the internet from: Facebook know what mobile phone you have and so could offer games for that phone
their credit-card details: Facebook could offer special services for competing credit cards, with special cash-back deals.

1.2 What is information?

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

Information comprises the meanings and interpretations that people – and increasingly algorithms – place upon facts or data. The value of information springs from the ways it is interpreted and applied to make products – like Coca-Cola – and to provide services – like Facebook does for its advertisers.

As we have seen, and supported by academic writers such as Itami and Roehl (1987), the true value of an organisation is in the information it uses and creates.

Activity 3: You and your organisation’s need for information

a.Write down the main objective – sometimes called the mission – of your organisation.
b.List the main kinds of information your organisation requires to meet its mission. Note down any areas in which the mission makes preserving the value of information difficult.
c.List the main kinds of information you have at home.

Guidance

Your answer to (b) will depend on the nature of your organisation. If your organisation produces a product, you may be able to identify information that is used in the creation of the product, including intellectual property such as designs and patents. If your organisation is a retailer, appropriate information might include customer information and price lists. A not-for-profit organisation will perhaps have employee lists, client lists, stock lists, a charter, etc. All for-profit organisations are required to keep financial information.
In your answer to (c), don’t restrict yourself to paper documents.

Discussion

a.The mission of The Open University is to be:
1. open to people – making university study available to an increasingly large and diverse student body and providing learning opportunities that meet individuals’ lifelong needs
2. open to places – providing learning opportunities in the home, workplace and community throughout the UK and selectively elsewhere, and serving an increasingly mobile population
3. open to methods – using and developing the most effective media and technologies for learning, teaching and assessment while attaching central importance to the personal academic support given to students; and working collaboratively with others to extend and enrich lifelong learning
4. open to ideas – developing a vibrant academic community that reflects and supports the diversity of intellectual interests of all our students and staff, and that is dedicated to the advancement and sharing of knowledge through research and scholarship.
b.Within The Open University there are very many types of information that are required to meet this mission. Examples include the following:
1. Teaching information – this information is provided in the huge range of courses that the OU produces, thus supporting the first, third and fourth of the mission statements. By providing teaching information in a variety of formats, including printed text and electronic text, the second mission statement is supported too.
2. Research information – this information is embodied in the research documents written by OU researchers, and supports the third and fourth mission statements.
3. Administrative information – an example is provided by the student records kept on courses studied and results, one use is to allow the OU to suggest appropriate choices of future study, thus supporting the first mission statement.
4. Strategic information – such information includes documents that explore the possible future of the OU, including proposed buildings, academic programmes and catering plans, thus providing support for all the mission statements.
- In fact the teaching and research information also provide the basis for much of the OU’s funding, thus indirectly supporting all four mission statements.
- The openness expressed in the mission makes the value of information difficult to preserve, and so this openness needs to be tempered by some measure of ‘closedness’, to protect the OU’s competitive advantage in teaching, for instance.
c.Looking around my home office, there is a great deal of paper on the shelves. Much of this is academic work and books, but there is also a great number of documents relating to insurance policies, credit and debit cards and bank accounts. On my pinboard are all my receipts for the financial year. Somewhere there are the deeds to my family’s home.
Additionally, my computer is full of information. For example, there are all the latest drafts of this course, all my email, applications, licences, bibliographic databases, my CV, the latest drafts of my PhD students’ reports etc.

2 Information security

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

It’s safe to say that Coca-Cola would never share its secret recipe with anyone other than the chosen few. Facebook, too, are unlikely to share the information they have on their users with those that would advertise. Keeping that information secret keeps the value that it has inside their companies. Some information needs to be kept confidential.

Of course, if confidentiality was paramount, we could simply lock the recipe up in a safe and throw away the key. Even more drastic, we could just burn every last copy of it. But that would mean that Coca-Cola’s shareholders would lose interest in investing as the source of its ability to make money would have disappeared. So information has to be available when needed.

Moreover, when it is needed, it must be correct otherwise, when you come to use it, you won’t end up with Coca-Cola. The information contained in it needs integrity – in the sense that it should be whole and undivided, i.e. correct.

There is sometimes a difficult balance to be made between the Confidentiality, Integrity and Availability – the CIA triad – of information. Information security is the art and science of getting that balance right.

Activity 4: CIA for your organisation’s information

Choose a piece of information whose value is critical for your organisation.

a.To which of the three security requirements is it subject? Why?
b.Thinking about each of confidentiality, integrity and availability in turn, how would you balance the CIA triad for it?

Discussion

We chose Open University assessment material, which contains information to the mission of The Open University in allowing us to validate a student’s study. Thus, it is critical to get the CIA triad correct.

a.Open University assessment material is subject to the following requirements:
- They’re highly confidential. In the case of an examination paper, if it was disclosed to students before the exam date, it would lose its value.
- They need to have integrity. Assessment with errors would cause problems for both students, who might be confused, and The Open University, as they would interfere with the marking of a student’s work.
- They have to be available – in the right place at the right time. If, for instance, a course exam paper wasn’t available at an examination centre on the day of the exam it would again have no value.
b.Let’s think about an exam paper
- Confidentiality. The information in the exam paper needs to be kept confidential as it is (i) authored and checked and (ii) distributed to the exam centre. First, I need to know who can be trusted and who can’t. I’m going to assume that people who get paid by The Open University – for instance academics, external examiners etc. – can be trusted, but others can’t.
  The process of authoring and checking the exam paper could take many months, and in that time it might need to be shared by many people, both inside and outside of the University. I know that email isn’t really confidential, so I’m going to stop the exam paper being attached to an email, unless it is password protected. Internal post isn’t secure, so I’ll ask that people walk to collect the exam paper whenever necessary. However, there are now paid for secure services that I might also look into.
  To keep it confidential while they’re on their way to the exam centre, the exam paper will be in a tamper-proof box, so that the courier – who won’t work for The Open University – doesn’t need to be trusted.
- Integrity. I’m going to ensure that there are lots of different sets of eyes on the exam paper so that errors will be spotted. I’m going to give responsibility for catching those errors both to the author and to the external examiner both of whom will have to formally sign off on the exam paper, confirming it’s error-free. That should get us most of the way. If all that fails and on the day someone spots an error on the paper, I’ll make sure there’s an academic no more than a telephone call away to check and quickly release a fix, if the error is confirmed.
- Availability. I know where the exam paper needs to be and on which day, so I’m going to book a courier service to pick the exam paper up from The Open University the day before, making sure it gets to its correct destination. The courier will deliver the paper to a named person who works in the examination centre at the other end. They will have responsibility to deliver it to where the examination is taking place.

Given that you chose different information assets, your analysis will be different. However, perhaps you asked the same questions: who could you trust? What services can be used? Who does what? If not, have another go and try to answer those questions too.

2.1 Other things to think about

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

If balancing the CIA triad wasn’t difficult enough, when sharing information, an organisation needs to be aware of the various laws, regulatory frameworks and codes of practice under which they operate. In the worst case, failure to comply with these can lead to disciplinary and/or legal action against board members. In such situations, directors and managers are duty bound to be cautious and vigilant.

But then again, the rewards of the e-business age can be immense and the creation of value is a big driver: as we have seen, information has become a powerful source of shareholder value, and may contribute massively to its ability to meet its mission. As organisations become more and more dependent on their information systems, pressure is increasing to get it right.

Activity 5: What can happen when it goes wrong?

Read the web page ‘The 15 worst data security breaches of the 21st Century’ (Armerding, 2012) and estimate the number of people affected by these data security breaches.

If the world population is approximately eight billion people, what is the likelihood of an individual being affected by one of the top 15 information security breaches?

Discussion

Ignoring those who were affected twice or more, we calculated that almost 453 million people were affected by the top 15 breaches. Adding together the figures in the article, we calculated that almost half a billion people were affected by the top 15 breaches. Given that there are 8 billion people, that’s 1 in 16. You might like to check whether your details have been released by visiting have i been pwned? (Hunt, 2016).

3 Tracking the leading edge

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

Like many computing topics, information security sits in a turbulent landscape and, like the weather, it is sometimes easier to see what will happen in the long term (five or ten years hence) than what will happen tomorrow. There is a constant turnover of technologies, research, organisations and commentators that makes it difficult to:

keep tabs on the issues that arise on a day-to-day basis and to know which are the issues that you should be concerned about
know where to turn to find information – and an in-depth evaluation – about those issues.

In this section you will survey the industry’s response to these issues. The response isn’t centralised in a single website but in the work of hundreds of individuals, either acting alone or on behalf of their organisation. The resources that they provide in the form of podcasts and other assets form the richest of resources for navigating the turbulent landscape of InfoSec (information security).

Even with such rich resources it won’t be possible to predict tomorrow’s headlines in information security. For example, which organisation will lose their customers' personal details to a hacker (Protalinski, 2013), which virus will strike complex processing control machinery (Wikipedia, 2016b) or which minister will divulge important policy details through a photograph of their meeting notes.

Figure 1 A minister leaving Downing Street with briefing notes clearly readable with a long lens camera

Nor can anyone predict the immediate or long-term response to such things: which legislation and regulation will be introduced or amended to require 2048 bit encoding of customer details, or the requirement that ministers must use opaque wallets for carrying meeting notes.

However, by staying up-to-date with regularly updated web resources, you may be in a better position to respond to InfoSec issues – both personally and within your organisation.

3.1 Which podcasts and blogs?

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

At the time of writing, the blog WordPress.com boasts of having over 400 million people viewing more than 22.3 billion pages each month! According to the Pew Research Center (2012), over 91,000 podcasts were produced in 2011 alone. Finding the most relevant resources from all of these is a difficult task and one that will get more difficult as the number of blogs and podcasts increases.

With a focus on information security, however, the number of relevant web resources comes down to a more manageable number. However, not all podcasts are equal: they vary in content, presentation, sound quality and support (for example, the availability of transcripts, resource lists and other supporting material). For instance:

Podcasts on InfoSec are generally, but not exclusively, produced in the US.
Podcasts vary greatly in their length, from fewer than ten minutes to an hour or more, and so finding and managing the time to engage with them can be a challenge.
A popular podcast format is an unscripted conversation between experts. Such podcasts can sometimes appear unfocused, containing material only loosely related to the topic and shallow in their coverage. Whether you grow to like this ‘feature’ of a podcast or not is unimportant.
There are a great number of podcasts which contain content related to InfoSec without being dedicated to InfoSec.

Because of this, and because no two students’ capabilities or interests are the same, we suggest a range of podcasts to work with. Feel free to find your own!

Activity 6: Tracking the leading edge

Have a quick look at the list of podcasts contained below, and make a note of any web resources that jump out at you as interesting. For example, if you are working within the banking industry you may find that the ‘Banking Industry Security Podcast’ stands out. There are specialist podcasts for Business Leaders, Cyberlaw, Government and Healthcare. Bruce Schneier's Crypto-Gram Security Podcast is also very popular.

After those, listen to at least two more podcasts. If you enjoy them, they can become quite addictive.

The way that you access these web resources is up to you – the lists contain links for (where available) both iTunes and standalone versions of the podcasts.

Instructions for accessing podcasts through iTunes are available in the Podcast section.

Table 1 Podcasts

Podcast title	Links	Description (from the website)
Banking Information Security Podcast	Direct iTunes	Audio interviews with banking/security leading practitioners and thinkers.
BTR: Security with Caleb Barlow \| Blog Talk Radio	Direct iTunes	Caleb Barlow, Director of Application, Data and Mobile Security at IBM presents a podcast on the changing landscape of information security, featuring topics for both business executives and security professionals.
BrightTALK IT Security Webcast	Direct	Presentations by leading experts in information security. Covers topics such as application, computer, network and internet security, access control management, data privacy and other hot topics.
BrightTALK Information Security Community Webcast	Direct	Primarily concerned with topics such as compliance, encryption, anti-virus, malware, cloud security, data protection, hacking, network security and virtualisation.
BrightTALK Governance, Risk and Compliance Webcast	Direct	Presentations by respected commentators in the fields of governance, risk and compliance.
CERIAS Security Seminar Podcast	No direct link available iTunes	Purdue faculty and visitors give in-depth presentations on topics in the areas of computer and network security, computer crime investigation, information warfare, information ethics, public policy for computing and security, and the computing ‘underground’.
CERT’s Podcast Series: Security for Business Leaders	No direct link available iTunes	Both general principles and specific starting points for InfoSec leaders.
Crypto-Gram Security Podcast	Direct iTunes	The Crypto-Gram Newsletter by Bruce Schneier in audio format, read by Dan Henage.
Data Breach today	Direct iTunes	News, research and education on the top industry, security, regulatory and technology challenges facing InfoSec leaders around the globe.
Eurotrash Security Podcast	Direct iTunes	An InfoSec podcast for the technically inclined with a dedicated European focus.
Government Information Security Podcast	Direct iTunes	For public sector security leaders implementing InfoSec in their organisation.
Healthcare Information Security Podcast	Direct iTunes	For healthcare security leaders implementing InfoSec in their organisation.
InfoRisk Today	Direct iTunes	News, opinions, education and other related content to assist senior executives and information security professionals.
PaulDotCom Security Weekly	Direct iTunes	Providing technical analysis and insight in a ‘friendly and entertaining manner’.
Sans Internet Storm Center Daily	Direct iTunes	Aimed at developing the information security technology leaders the world needs by providing instruction, research and public service programmes.
Security Now!	Direct iTunes	Focuses on personal computer security.
Security Wire Weekly	Direct	Timely details about information security threats and vulnerabilities, and their control.
The CyberJungle	Direct iTunes	News and chat about security, privacy and relevant law.
The Malware Report	No direct link available iTunes	Discusses the latest news and information related to internet and computer security, including tips and best practices for keeping users safe.

4 Conclusion

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

This OpenLearn course, Information security, has given you a brief introduction to the value of information within modern organisations. Organisations need to protect the value of their information, and this means being able to balance Confidentiality, Integrity and Availability: the CIA Triad. Getting this right motivates the subject of information security.

Keep on learning

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

Study another free course

There are more than 800 courses on OpenLearn for you to choose from on a range of subjects.

Find out more about all our free courses.

Take your studies further

Find out more about studying with The Open University by visiting our online prospectus.

If you are new to university study, you may be interested in our Access Courses or Certificates.

What’s new from OpenLearn?

For reference, full URLs to pages listed above:

OpenLearn – www.open.edu/ openlearn/ free-courses

Visiting our online prospectus – www.open.ac.uk/ courses

Access Courses – www.open.ac.uk/ courses/ do-it/ access

Certificates – www.open.ac.uk/ courses/ certificates-he

Newsletter – www.open.edu/ openlearn/ about-openlearn/ subscribe-the-openlearn-newsletter

References

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

Amerding, T (2012) ‘The 15 worst data security breaches of the 21st Century’, CSO, 15 February [Online]. Available at www.csoonline.com/ article/ 2130877/ data-protection/ data-protection-the-15-worst-data-security-breaches-of-the-21st-century.html (Accessed 4 June 2016).

Hunt, T. (2016) have I been pwned [Online]. Available at https://haveibeenpwned.com (Accessed 7 June 2016).

Itami, H. and Roehl, T. (1987) Mobilizing Invisible Assets, Harvard, Harvard University Press.

Pew Research Center (2012) The State of the News Media 2012 – Audio: By the Numbers [Online]. Available at http://stateofthemedia.org/ 2012/ audio-how-far-will-digital-go/ audio-by-the-numbers/ (Accessed 4 June 2016).

Protalinski, E. (2013) ‘Belgian rail firm SNCB Europe sees 1.5m customer details leaked, but fails to take responsibility’, The Next Web, [Online]. Available at http://thenextweb.com/ insider/ 2012/ 12/ 24/ belgian-rail-firm-sncb-europe-sees-1-5m-customer-details-leaked-but-fails-to-take-responsibility/ (Accessed 4 June 2016).

Wikipedia (2016a) Coca-Cola Formula [Online], 31 May 2016. Available at https://en.wikipedia.org/ wiki/ Coca-Cola_formula#Pemberton_recipe (Accessed 4 June 2016).

Wikipedia (2016b) Stuxnet [Online], 2 June 2016. Available at http://en.wikipedia.org/ wiki/ E-commerce (Accessed 1 June 2015).

Wolfram Alpha computational knowledge engine (Wolfram Alpha) (2016a) [Online]. Available at http://www.wolframalpha.com/ input/ ?i=market+value+and+book+value+coca-cola (Accessed 12 May 2016).

Wolfram Alpha computational knowledge engine (Wolfram Alpha) (2016b) [Online]. Available at http://www.wolframalpha.com/ input/ ?i=market+value+and+book+value+facebook (Accessed 12 May 2016).

WordPress (2013) Stats – Wordpress.com [Online]. Available at https://wordpress.com/ activity/ (Accessed 27 September 2013).

Acknowledgements

The Open University — Thu, 23 Jun 2016 10:43:46 GMT

This free course was written by Jon Hall.

Except for third party materials and otherwise stated (see terms and conditions), this content is made available under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 Licence.

The material acknowledged below is Proprietary and used under licence (not subject to Creative Commons Licence). Grateful acknowledgement is made to the following sources for permission to reproduce material in this free course:

Every effort has been made to contact copyright owners. If any have been inadvertently overlooked, the publishers will be pleased to make the necessary arrangements at the first opportunity.

Figure 1 Steve Back/Rex Features

Don't miss out

If reading this text has inspired you to learn more, you may be interested in joining the millions of people who discover our free learning resources and qualifications by visiting The Open University – www.open.edu/ openlearn/ free-courses.