Cyber Security: Information as an asset

Information as an asset



You’ll remember from Week 1 that, when thinking about computer security, it helps to think of information as an asset. Just like money in the bank, it is valuable, possibly irreplaceable, and crucially it can be lost or stolen.

When we think about our assets, traditionally we consider tangible things such as money, property, machinery and so on. Increasingly, it is recognised that information itself is an asset, crucial to adding value. In today’s digital world, it is increasingly apparent that information is the most important asset, for both businesses or individuals – just think of the value of music to a media company or a games program to a video game company.


   
Considering information as an asset allows us to create strategies for protecting information and minimising the consequences of any disaster.

Case study: San Francisco Medical Center
In October 2002, the University of California, San Francisco Medical Center received an email message from someone who claimed to be a doctor working in Pakistan and who threatened to release patient records onto the internet unless the money owed to her was paid. Several confidential medical transcripts were attached to the email.

UCSF staff were mystified, they had no dealings in Pakistan and certainly did not employ the person who sent the email. The Medical Center began an immediate investigation, concentrating on their transcription service, which had been outsourced to Transcription Stat, based in nearby Sausalito. It transpired that Transcription Stat farmed out work to 15 sub-contractors scattered across America. One of these sub-contractors was Florida-based Sonya Newburn, who in turn employed further sub-contractors, including Tom Spires of Texas. No one at Transcription Stat realised that Spires also employed his own sub-contractors, including the sender of the email. The sender alleged that Spires owed her money, and had not paid her for some time.

 

Newburn eventually agreed to pay the $500 that the email sender claimed was owed to her. In return the sender informed UCSF that she had had no intention of publicising personal information and had destroyed any records in her care. Of course, there is no way to prove that the records have actually been destroyed.

Naturally, you would not wish your own medical records to be publicised: they should be secure. This threat cost the organisation little in monetary terms, but how much in reputation? Just what is a reputation worth? Or, to put it another way, how much should you invest in information security to protect a reputation?



Information in this context is a very broad term and it applies to large and small organisations as well as to individual users. So a doctor’s surgery’s information assets would include things such as personal medical records, telephone contact lists, its emails as well as personal information about its employees. A manufacturing company will have electronic records of order books, correspondence with suppliers and customers, staff records, bank references and so on.

Risk management
Information security risk management assesses the value of information assets belonging to an individual or an organisation and, if appropriate, protects them on an ongoing basis.

Information is stored, used and transmitted using various media; some information is tangible, paper for example, and it is relatively straightforward to put in place strategies to protect this information – such as locking filing cabinets, or restricting access to archives.

On the other hand, some information is intangible, such as the ideas in employees’ minds, is much harder to protect. Companies might try to secure information by making sure their employees are happy, or by legal means such as having contracts that prevent people leaving and going to work for a rival.



Imperatives and incentives
Information security risk management considers the process in terms of two factors: imperatives or incentives. Imperatives are pressures that force you to act. Incentives are the rewards and opportunities that arise from acting.

The imperatives for information security arise from legislation and regulation. The Computer Misuse Act and the Data Protection Act, are examples of legislative imperatives. Regulatory imperatives include standards such as the Payment Card Industry Data Security Standard (PCI-DSS), which specifies how merchants should secure all card transactions.

The most important incentive is trust. People and organisations are more likely to work with other people and organisations who have secured their information. Establishing this trust requires that the parties involved examine each others’ information security practices to ensure that there are adequate safeguards to protect the information. One way of doing this is to show that the organisation has satisfied the requirements of standards such as PCI-DSS or the ISO27000 family of standards for designing and implementing information security management systems.

   


Risk analysis
We use the term risk in everyday speech, but a whole science has grown up around the identification, analysis and management of risks. You will now look briefly at how to apply some of these ideas to identifying, assessing and reducing risks that affect the security of your information.

Risk can be thought of as the chance of adverse consequences or loss occurring. Generally, risks can be identified and the likelihood of them occurring assessed.

The main technique for a qualitative analysis of risk is to construct a likelihood–impact matrix in which the likelihood and impact of each risk event are assessed against a defined scale and then plotted on a two-dimensional grid. The position on the grid represents the relative significance of each risk. The simplest matrix is formed by classifying both likelihood and impact as either high or low, which leads to a 2 by 2 grid. This basic classification of a high or low value leads to the following rank order for tackling risks:

• high-impact, high-likelihood risks
• high-impact, low-likelihood risks
• low-impact, high-likelihood risks.

 

Risk analysis in practice

Let’s think about a practical example of how qualitative risk analysis could be done for Lewis’s information assets.

Any successful attack on email, banking details and password information will have high impact and there is a high likelihood that these attacks will be targeted due to their high value. So they should go in the high-high box.

An attack that affects the study materials or digital photographs will have high impact, but there is a low likelihood given that these assets have minimal financial value to an attacker. These should be placed in the high-low box.

An attack on the digital music or videos will have low impact, since these can be downloaded again easily. However, this will have high likelihood because these assets can be easily copied and sold, this making these attractive to an attacker. Therefore, they go in the low-high box.

Conducting a risk analysis is an important part of protecting your information assets. Following Lewis’s example consider your own list of information assets and carry out a similar risk analysis to determine the impact and likelihood of attack for each type of information.

© The Open University