Professional Documents
Culture Documents
net/publication/220349069
CITATION READS
1 18,706
4 authors, including:
Lakhmi C. Jain
SEE PROFILE
All content following this page was uploaded by Sugata Sanyal on 29 May 2014.
Editorial Preface
Information Assurance
and Security
Corey D. Schou, Idaho State University, USA
Kenneth J. Trimmer, Idaho State University, USA
manufacturing are a sample of critical in- and competition that have emerged in the
formation infrastructure components that modern economy”.4 Information assurance
support a modern economy and society. protects critical information infrastructures
These systems have become so complex and provides for homeland security5.
that no one understands all their interac-
tions. This complexity combined with Information Assurance & the
closely coupled systems operations cre-
ates fragile critical systems. In these sys- End User
tems, failure of a single component may
adversely affect the integrity, confidential- Information assurance relies on a triad
ity, and availability of many critical sys- of countermeasures; this triad is a defense
tems. In addition being fragile, they are in depth model. The most obvious and
brittle — they may break unexpectedly into expensive countermeasure is technology.
a nonrecoverable state. Any national or Technology includes everything from op-
international security effort cannot afford erating systems to routers, switches, and
to place the security of their economy and electronic intrusion detection systems. No
society on the backs of fragile systems. matter how well designed these technical
Although languages and specifics may countermeasures are, they are ineffective
differ by discipline, there is now general if they are not supported by well-designed
recognition that information technology operational plans, policies and goals. How-
security is a core business process. Inte- ever, in the final analysis, all of this fails if
gral to establishing a core process is build- one does not have end users who are
ing a competent information technology aware of information assurance issues,
security work force — a people based trained to operate systems appropriately.
countermeasure. This security workforce Like the iceberg, the majority of in-
facilitates both industry and government in formation assurance supports the small,
establishing integrated information secu- visible portion at the top and like the ice-
rity systems relying on multidimensional berg; one must worry about the parts that
approaches. The multidimensional approach are unseen.
deals with technologies such as biometrics,
cryptographic systems, and smart cards; Guidelines for Users
operations issues such as HIPAA, trans-
border data flows, procedures, software
From an end user perspective, the
property rights, privacy, auditing, person-
education awareness and training are the
nel, and risk assessment; as well as people
important countermeasures. In the U.S.,
development which goes beyond just edu-
the federal government took training the
cation and training into professional devel-
end user seriously enough to demand that
opment and recognition through certifica-
all federal employees using sensitive sys-
tion.
tems receive annual training. The Com-
In the final analysis, either our
puter Security Act (PL 100-235) also delin-
economy is directly or indirectly under
eated the responsibility for information as-
attack; this attack has been termed as
surance standards between the National
network centric warfare. “The organizing
Institute of Standards and Technology
principle of network-centric-warfare has
(NIST) and the National Security Agency
its antecedent in the dynamics of growth
(NSA). However, how does one know
iii
TECHNOLOGY Education
Training
POLICY Training
PRACTICE Manage Acquire Design Implement Operate Use Other
Training
Awareness
EDUCATION Awareness
Literacy
All Employees
Literacy Technology Literacy
were to start building compliance and good these individuals be interoperable and work
practice? from the same knowledge base to insure
In addressing where to start the build- robust, reliable, and resilient systems.
ing process, two main standards were de- A broad effort to assist in facilitating
veloped to aid managers in determining the information in the United States was fueled
end user needs for awareness, training, and in 1997 when the President’s Commission
education countermeasures. The NIST on Critical Infrastructure Protection called
Standard 800-16 and Committee on Na- for:
tional Security Standards (CNSS)6 stan- “NIST, NSA, and the U.S. Department of
dards 4011 through 4016 detail the training Education work in collaboration with
contents. the private sector to develop programs
These standards evolved from a se- for education and training of informa-
ries of studies over more than a decade that tion assurance specialists and for the
established their content. Figure 2 shows7 continuing education as technologies
the relationships among literacy, aware- change.” 9
ness, training, and education.
The previous statements indicate a
Awareness Training & strong need for a structured model for
literacy, awareness, training, and educa-
Education: End User tion to all employees.10
Solutions
Awareness
To illustrate the need for training and
education, the healthcare environment pro- Awareness is at the lowest level of
vides an example. By implication, every the solution to information assurance. It is
healthcare worker needs to have a com- designed to affect short-term memory. It is
mon understanding that allows all individu- composed of stimulation, focus, attention,
als involved in biomedical informatics and decision, and assimilation (examples are
their associated critical information infra- presented in Table 1). A successful pro-
structure systems to work together in an gram will begin by meeting these five re-
environment of trust.8 It is essential that quirements.
iv
Literacy Education
The selection of articles for this first If the reader is being introduced to
special edition covers many of the critical information assurance issues, we hope that
issues of end user computing from both the you find this set of research manuscripts
industrial and academic standpoint. informative. For the reader experienced in
The special edition begins with a con- IA issues, our hope is that you find the
ceptual and definitional work by Gupta, conceptual and empirical studies presented
Rao, and Upadhyaya, a discussion of a here to be stimulating to your research,
broad range of security and assurance practice, and teaching.
issues with a focus on electronic banking.
This paper provides the Information Pro- Endnotes
fessional with little background in IA an
introduction to its terminology and prin- 1
Integrity is the quality of an informa-
ciples, as well as a specific topics focusing
tion system reflecting logical correctness,
on banking issues.
reliability, and the consistency of the data
The next research paper is an empiri-
structures and occurrence of the stored
cal work by Aytes and Connolly that pro-
data. Confidentiality is the assurance that
vides a perspective on potential security
information is not disclosed to unauthorized
concerns for organizations. This research
persons, processes, or devices. Availability
focuses on the security behaviors of a
is the timely, reliable access to data and
population of undergraduate IT majors.
information services for authorized users.
The researchers discuss perceived risk 2
Family Educational Rights and Pri-
and the security precautions emphasized
vacy Act and Health Insurance Portability
by these future organizational employees.
And Accountability Act
Warkentin, Davis, and Bekkering 3
V. Maconachy, C. Schou, D. Welch,
present a strategy to provide system users
& D. J. Ragsdale (2001). “A Model for
with robust password security. Their em-
Information Assurance: An Integrated Ap-
pirical study on preferences for competing
proach.” Proceedings of the 2nd Annual
password strategies presents a new pass-
IEEE Systems, Man, and Cybernetics In-
word generation strategy. As with the pre-
formation Assurance Workshop, West
vious paper, their work also utilizes an
Point, NY (June 5-6, pp. 306-310).
important future pool for information as- 4
A.K. Cebrowski & J.J. Garstka
surance, students.
(1988, January). Network-Centric War-
In the final paper of the edition, Stahl
fare: Its origin and Future. Naval Institute
conceptually discusses individual responsi-
Proceedings.
bility, information assurance, and security. 5
C.D. Schou & J. Frost (2004). Home-
His manuscript develops the argument that
land Security and Information Assurance
individuals have limitations in being totally
in Biomedical Informatics Systems. IEEE
responsibility for their information assur-
Engineering in Medicine and Biology, (Janu-
ance activities and that the organization
ary/February).
needs to be aware of such limitations. 6
http://www.nstissc.gov/html/
library.html
vii
7 10
Based on a figure in C. Schou, W. V. C. Schou, W. V. Maconachy, & J.
Maconachy, et al. (1993). “Organizational Frost (1993). “Organizational Information
Information Security: Awareness, Train- Security: Awareness, Training and Educa-
ing, and Education to Maintain System tion to Maintain System Integrity.” Pro-
Integrity”. Proceedings of the 9th Interna- ceedings Ninth International Computer
tional Computer Security Symposium, Security Symposium, Toronto, Canada,
Toronto, Canada, IFIP. May.
8 11
C. Schou (2003). Standards, Stan- Redefining Security: Joint Security
dards, Standards, Who has the Standards. Commission Report, Feb. 28, 1994, p.124
12
Proceedings 4th Australian Information http://www.isc2.org
13
Warfare and IT Security Conference– En- http://www.usdoj.gov/criminal/
hancing Trust, (November 20-21). Univer- cybercrime/factsh.htm
14
sity of South Australia, Adelaide, Austra- http://www.nsa.gov/ia/academia/
lia. acade00001.cfm
9 15
Critical Foundations: Protecting http://www.ehr.nsf.gov/due/pro-
America’s Infrastructures. The report of grams/sfs/
the President’s commission on Critical In-
frastructure Protection. Oct. 1997. P71.
Corey D. Schou is the university professor of Informatics, professor of Information Systems, and
associate dean of the College of Business at Idaho State University (USA). He has been involved
in establishing computer security and information assurance training and standards for 25 years.
His research interests include information assurance, ethics, privacy, and collaborative decision-
making. Through his research, he was responsible for compiling and editing computer security
standards and training materials for the Committee on National Security Systems (CNSS). Dr.
Schou serves as the chair of the Colloquium for Information Systems Security Education (CISSE).
Under his leadership, the Colloquium creates an environment for exchange and dialogue among
leaders in government, industry, and academia concerning information security and information
assurance education. In addition, he serves as the editor of Information Systems Security and is
on the board of several professional organizations. He has served as the principal investigator
on 40 funded research projects and is currently principal investigator on the NSF Scholarship for
Service program in information assurance.
Ken Trimmer is an assistant professor of Computer Information Systems in the College of Business
at Idaho State University (USA). He has a PhD in Management Information Systems from the
University of South Florida where his dissertation focused on conflict on cross-functional teams
involved in information systems development. In addition to his research interests in systems
development, Dr. Trimmer has interests and publications in the management of systems in the
healthcare environment, educational issues in information systems coursework, and information
systems issues in small to medium organizations, which includes software development as well as
the utilization of systems. Dr. Trimmer also has interests in the teaching of information assurance,
and security issues in healthcare organizations, particularly with HIPAA.