Information Security from

Practice to Theory:
Case Study Based Learning

Alexandra Savelieva,
Asst. Professor, PhD
Sergey Avdoshin,
Professor, PhD, Head of Software Engineering Department

National Research University Higher School of Economics,

Moscow, Russia
School of Software Management
Information security education problem
Academia vs. Real World
Decisions
Decisions
Decisions
Decisions
Decisions
Decisions
Decisions
Decisions
Decisions
Decisions
Decisions
Decisions

Higher School of Economics - 2012 2

 How to make information security
course:
interactive and entertaining ET AUD
RG IENC
TA E
facilitating development of analytical
skills
encouraging active use of theoretical
knowledge
close to real-world situation
adaptive to students level and
background
admitting both teamwork and
independent work
with minimal requirements to
laboratory equipment

Higher School of Economics - 2012 3

 Case study method
Case studies are stories with educational message
(Source: Clyde Freeman Herreid, Start with a story)
Purpose: teaching students work individually / as a
team to:
Analyse information,
Process it in a systematic way
Outline key problems
Generate and evaluate alternative solutions
Select optimal solution and prepare for actions

Higher School of Economics - 2012 4

According to the standard ISO/IEC
27001:2005
Information security event is "an identified
occurrence of a system, service or network state
indicating a possible breach of information security
policy or failure of safeguards, or a previously
unknown situation that may be security relevant.

Information security incident is "a single or a

series of unwanted or unexpected information
security events that have a significant probability of
compromising business operations and threatening
information security".

Higher School of Economics - 2012 5

 Structure of case study

Higher School of Economics - 2012 6

 Methods and tools
Terminology & definitions
Static & Dynamic perspective
Parkerian hexad
STRIDE security model
Event chain
What-if analysis

Higher School of Economics - 2012 7

 Terminology and relationships
Definition 1. Information security risk refers to probability
and impact of an information security property violation
threat.
Definition 2. Information security property is a subset of six
fundamental elements of information security
(Confidentiality, Possession or control, Integrity, Authenticity,
Availability, and Utility) that can be attributed to an
information asset.
Definition 3. Information asset is a piece of information that
is valuable to an organization.
Definition 4. Threat is a process that can lead to violation of
information security property.
Definition 5. Malicious activity refers to behavior of a
person or a system that produces one or more threats.

Higher School of Economics - 2012 8

 The Classic Triad

CIA

Higher School of Economics - 2012 9

 The Parkerian Hexad
Protect the 6 atomic elements of INFOSEC:
Confidentiality
Possession or control
Integrity
Authenticity
Availability
Utility

Kabay, M. E. (1996). The NCSA Guide to Enterprise Security:

Protecting Information Assets. McGraw-Hill (New York). ISBN 0-07-
033147-2. xii + 388 pp.
Higher School of Economics - 2012 10
 STRIDE classification of threats
Threat Property Definition Example
Spoofing Authentication Impersonating Pretending to be any of billg, microsoft.com or
Authorization something or ntdll.dll
someone else.
Tampering Data Validation Modifying data or Modifying a DLL on disk or DVD, or a packet as it
Sensitive Data code traverses the LAN.
Cryptography
Repudiation Cryptography Claiming to have not I didnt send that email, I didnt modify that
Auditing performed an action. file, I certainly didnt visit that web site, dear!

Information Session Mgt Exposing information Allowing someone to read the Windows source
Disclosure Exception Mgt to someone not code; publishing a list of customers to a web site.
authorized to see it

Denial of Configuration Mgt Deny or degrade Crashing Windows or a web site, sending a packet
Service service to users and absorbing seconds of CPU time, or routing
packets into a black hole.
Elevation of Exception Mgt Gain capabilities Allowing a remote internet user to run commands
Privilege Authorization without proper is the classic example, but also going from a
authorization limited user to admin.
M.Howard and S.Lipner, The Security Development Lifecycle: SDL: A Process
for Developing Demonstrably More Secure Software. Microsoft Press, pp.304
(2006)

Microsoft / Secure Development Lifecycle 11

 Static perspective

Information Malicious
Asset activity

SECURITY PROPERTY RISK SECURITY THREAT

Higher School of Economics - 2012 12

 Dynamic perspective

Informati
on
System
(Target of
Attack)

Serdiouk, V.A.: Advances in Technologies for Protection against Attacks in

Corporate Networks. Tekhnosphera, Moscow (2007)
Higher School of Economics - 2012 13
Combined perspective: Event Chain

Attack 1

Attack 2

Attack n

Higher School of Economics - 2012 14

 Case study analysis: table
representation

Higher School of Economics - 2012 15

 Application

Higher School of Economics - 2012 16

Case study example: Event chain

Higher School of Economics - 2012 17

 Case study example analysis

Higher School of Economics - 2012 18

 Our contributions
Conceptual schema for static analysis of information
security event
Event chain visualization for chronological analysis of
information security incident
Table representation template for the results of case
study analysis
Algorithm for applying the above tools to a case study
Combination of various techniques from threat
modeling (STRIDE), project management (Event
Chain Diagrams) and information security risk
analysis
Framework in line with ISO/IEC 27001:2005 which
belongs to the family of the most popular standards
on information security management

Higher School of Economics - 2012 19

 Approbation
Software Engineering Department of National Research
University Higher School of Economics
Information security management (MSc programme, 2nd year)
Methods of information protection (BSc programme, 4th year).
Training Labs'2010 conference
Format: interactive case study training Risk management in the world
of digital dependencies
Course Microsoft technologies and products in information
protection, supported by a grant from Microsoft
Microsoft faculty resource center,
https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=8476&Login
Internet university for information technologies,
http://www.intuit.ru/department/security/mssec/

Higher School of Economics - 2012 20

Results - presentation & discussion
Workshop on Teaching Business Informatics: Intelligent
Educational Systems and E-learning, BIR 2012, Nizhny Novgorod
Central & Eastern European Software Engineering Conference in
Russia 2012, Moscow
International conference Management of Quality. Information
Systems Management MQ-ISM-2012, Vienna
IT Security for the Next Generation - European Cup 2011, Munich
2011 Workshop on Cyber Security and Global Affairs, Budapest
Training Labs2010, Moscow

Higher School of Economics - 2012 21

 Advantages of case study method
Focus on practical aspects of information security in
the real world
High level of students interest and involvement
Understanding of organizational decisions and
corporate culture impact on information security
Demonstration of risk management principles
application in the context of information protection
Practical classes with minimum requirements to
equipment
Multifaceted approach to information security
from the perspective of user, technical specialist,
CFO, architect, top-manager

Higher School of Economics - 2012 22

 Acknowledgements

Higher School of Economics - 2012 23

Information Security from
Practice to Theory:
Case Study Based Learning

asavelieva@hse.ru savdoshin@hse.ru