Security Management: Threat Assessment, Protection, and Services

Verified

Added on 2023/06/08

AI Summary

This report delves into the core principles of security management, beginning with a discussion of threat assessment and risk analysis within information systems. It examines the application of scientific management principles to security, highlighting the evolution of information protection methodologies from initial to complex stages. The report then evaluates the impact of information technology on organizational activities, emphasizing the importance of a holistic approach to security. A detailed explanation of the 'concentric protection' or 'defense-in-depth' theory is provided, illustrating how layered security controls enhance overall protection. Finally, the report compares the advantages and disadvantages of outsourced versus proprietary guard services, as well as outsourced versus in-house information security solutions, offering insights into the practical considerations of each approach. The assignment covers a comprehensive overview of security management, emphasizing the importance of adapting to evolving threats and technologies.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: SECURITY MANAGEMENT
Security Management
Name:
Institution:
Date:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

SECURITY MANAGEMENT
Question 1
Threat assessment and Risk analysis in system security
Threat assessment in information system is the structured group process which is used
to evaluate a risk posed by a person in response to a perceived or actual threat of a behavior.
Risk Analysis on the other hand is the systematic assessment of the likelihood of an
occurrence of a threat in system security.
Principles of scientific management to security management in risk security
The design of large information systems in the traditional American understanding of
late there is a clear "failure." This also applies to the field of technology. At the same time, at
present the process of creating a single information technology environment based on
network technologies is under way. Fundamentally new for the technology system, not only
in America, but all over the world, is the process of creating a distributed information
environment (Biggio, et al , 2015).
1) Providing factual data of administrative structures;
2) use of information data for automated control systems;
3) Use of information to support the activities of various consumers (organizations, scientists,
artists, writers, journalists, etc.)
Information management structures (state, corporations, and organizations) are
provided primarily through organizations specifically engaged in data collection (public
statistical bodies, scientific centers of various types). A large role in the information support
of management structures is played by the mass media, which not only represent a large body
of information, but also form public opinion influencing management systems on its basis.

SECURITY MANAGEMENT
The second important area of information support is the formation of information for the
automatic control system (ACS). The information entered into the ACS system is an
indispensable element of the entire system, without which mathematical, technical,
organizational and legal functioning is impossible. Information entered into the system, its
pre-machining is the basis of modern automated information systems. The third direction of
information support is related to the satisfaction of information requests of consumers of the
most diverse type: organizations, institutions, and individuals (Biringer & Warren, 2016).
In this case, not only statistical data, sociological surveys, data from archives and
other official institutions, but also types of information such as book and journal publications,
scientific reports, dissertations, etc., serve as information support. The most common form of
this type of information libraries are provided, and in modern conditions, services and
information analysis centers are becoming increasingly important (for example, in America-
the All-American Institute of Scientific and Technical Information, Scientific and Technical
Information Center and others. Information Services). Let us now consider the development
of methodological approaches to the organization and protection of information.
Naturally, in the time that has elapsed after the appearance of the problem, time has
essentially changed both the concept of its essence and the methodological approaches to the
solution. These changes took place gradually and continuously, so any periodization of this
process will be largely artificial. Nevertheless, regarding the approaches to information
protection, the whole period of active work on the problem under consideration is fairly
clearly divided into three stages, which can be conditionally called initial, developed and
complex.

SECURITY MANAGEMENT
Evaluation of the impact of information technology on the activities of the
organization
As a rule, components (tools and information technology) of automated information
systems (AIS), automated control systems (AMS), telecommunication systems (TIS), as well
as information resources (IR), accumulated and processed by these computer systems.
Nevertheless, from the point of view of a holistic consideration of any organizational
structure, regardless of its functional purpose (entrepreneurship, production, banking,
management, etc.) to solve the problem of information security, a much more complex
component picture of the object is required. In the literature there are attempts to find a
general term for naming such objects: the socio-technical system, the object of information or
automation, etc. It seems to us that it is quite enough to use the term "organization" as an
independent object of a particular type of activity. At the same time, firstly, emphasis is
placed on the main purpose of the object, and secondly, when it comes to ensuring
information security, it is obviously necessary to consider the entire information sphere and
the impact of information processes on the main activity of the facility. For the organization,
at least two aspects of its information manifestation can be distinguished: intra-object
information activity and external information manifestation of the object. In-house
information activity is provided and implemented by such components as automated
processes and ACS, AIS, TKS, IR, information support (including in the form of
technologies for working with traditional documents on paper carriers), information and
analytical support.
Question 2

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

SECURITY MANAGEMENT
Compose a detailed explanation of the “concentric protection” or “defense-in-depth”
theory of security protection
Concentric protection offers physical protection in monitoring and cyber threat
protection. It creates a perimeter security and threat intelligence and intelligence analysts.
Defense in depth is also known as the castle approach in which there are layers of security
controls in the technology system.
The concept of an in-house information activity in principle, it is quite identical with
the notion of an information system of organization (IS) in the broad sense when it unites all
types of information activity (computer and telecommunication systems, traditional office
work, external information and analytical support, etc.). External information manifestation
of the object can be staffed (external staff information interaction - messages via TCS and
traditional document flows) and bypass the design of large information systems in the
traditional American understanding of late there is a clear "failure." This also applies to the
field of technology. At the same time, at present the process of creating a single information
technology environment based on network technologies is under way. Fundamentally new for
the technology system, not only in America, but all over the world, is the process of creating
a distributed information environment.
1) Providing factual data of administrative structures;
2) use of information data for automated control systems;
3) Use of information to support the activities of various consumers (organizations, scientists,
artists, writers, journalists, etc.)
Information management structures (state, corporations, and organizations) are
provided primarily through organizations specifically engaged in data collection (public

SECURITY MANAGEMENT
statistical bodies, scientific centers of various types). A large role in the information support
of management structures is played by the mass media, which not only represent a large body
of information, but also form public opinion influencing management systems on its basis
(Deane, 2015). The second important area of information support is the formation of
information for the automatic control system (ACS). The information entered into the ACS
system is an indispensable element of the entire system, without which mathematical,
technical, organizational and legal functioning is impossible. Information entered into the
system, its pre-machining is the basis of modern automated information systems. The third
direction of information support is related to the satisfaction of information requests of
consumers of the most diverse type: organizations, institutions, and individuals. In this case,
not only statistical data, sociological surveys, data from archives and other official
institutions, but also types of information such as book and journal publications, scientific
reports, dissertations, etc., serve as information support. The most common form of this type
of information libraries are provided, and in modern conditions, services and information
analysis centers are becoming increasingly important (for example, in America-the All-
American Institute of Scientific and Technical Information, Scientific and Technical
Information Center and others. Information Services).
Evaluation of the impact of information technology on the activities of the organization
As a rule, components (tools and information technology) of automated information
systems (AIS), automated control systems (AMS), telecommunication systems (TIS), as well
as information resources (IR), accumulated and processed by these computer systems.
Nevertheless, from the point of view of a holistic consideration of any organizational
structure, regardless of its functional purpose (entrepreneurship, production, banking,
management, etc.) to solve the problem of information security, a much more complex
component picture of the object is required. In the literature there are attempts to find a

SECURITY MANAGEMENT
general term for naming such objects: the socio-technical system, the object of information or
automation, etc. It seems to us that it is quite enough to use the term "organization" as an
independent object of a particular type of activity (Dhillon & Backhouse, 2000).. At the same
time, firstly, emphasis is placed on the main purpose of the object, and secondly, when it
comes to ensuring information security, it is obviously necessary to consider the entire
information sphere and the impact of information processes on the main activity of the
facility. For the organization, at least two aspects of its information manifestation can be
distinguished: intra-object information activity and external information manifestation of the
object . In-house information security is provided and implemented by such components as
automated processes and ACS, AIS, TKS, IR, information support (including in the form of
technologies for working with traditional documents on paper carriers), information and
analytical support. The concept of an in-house information activity In principle, it is quite
identical with the notion of an information system of organization (IS) in the broad sense
when it unites all types of information activity (computer and telecommunication systems,
traditional office work, external information and analytical support, etc.).
Question 3
Compare the pros and cons of outsourced versus proprietary guard services. For those
of you with an information security background, compare the pros and cons of
outsourced versus in-house information security solutions
The problem of protecting information, in general, has a long history. Even the rock
paintings (not to mention the ancient manuscripts) are nothing more than an attempt to
preserve information about the realities of the objective world. The use of special measures to
preserve information in secret was practiced in ancient times: it is certain, for example, that

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SECURITY MANAGEMENT
the eminent politician and commander of ancient Rome, Caesar, used for this purpose
cryptographic transformation of texts of messages (which went down in history under the
name of Caesar's cipher), although according to modern ideas is very primitive. But since the
issues of information protection in automated processing systems are considered here, we
will also retrospectively analyze their origin and development to the depth of the real
existence of these systems. Special journals are issued, conferences are regularly held, the
relevant disciplines are included in the curricula of all universities that train computer
scientists and their use. First of all, the experts are unanimous in assessing the extreme
importance of the problem of protection, and in support of numerous specific facts of
malicious acts on information located in the system (Mao & Iravani, 2014).. The
consequences of such actions were often quite heavy.
Under the influence of the above facts and in connection with expanding openness, in
recent years there has been a sharp increase in interest in the problem of information
protection in the system, and the corresponding work is being carried out with a broad front
and with growing intensification. Evidence for this is provided by the following facts:
Systemic accounting of the entire set of potentially destabilizing factors affecting the security
of information. The most complete account of existing and prospective opportunities (ways,
methods, means) of information protection.
Development of unified approaches to the formation of a list, methods, methods and means of
solving defense tasks.

SECURITY MANAGEMENT
The initial stage of protection was characterized by the fact that protection of
information (protection of information containing information constituting a secret) was
understood as preventing the unauthorized receipt by individuals or processes (tasks) that did
not have the authority to do so, and for this purpose formal (ie functioning without human
participation ) facilities. The most common protection mechanisms were password checks of
access rights to the system (the purpose is to prevent access of unregistered users) and
delineation of access to data arrays (databases) (the goal is to prevent registered users from
accessing data beyond their authority).
Modern information technologies offer unlimited opportunities for business
development, providing information necessary for system-making of the right quality and at
the right time. Information critical to business needs to be accessible, holistic and confidential
(Sallam, 2016). . At the same time, due to the increasing complexity of information systems
and used in information technologies, the number of vulnerabilities and potential threats to
these systems is increasing.
Obviously, the issues of information security are relevant today not only for
governmental and commercial structures. Recently, in connection with the commercialization
of American universities and the trends in the emergence of American technology on the
European and world market of technology services, the issue of ensuring sustainable
functioning and increasing the competitiveness of technology The aim of the research is to
increase the effectiveness of information security management at the university based on the
development of models and algorithms for analyzing and managing information risks using
cognitive modeling technologies (Pearcy & Gaskins, 2015).
To achieve this goal, it is necessary to solve the following tasks

SECURITY MANAGEMENT
1 Conduct a system analysis of the business processes of the university as an object of
protection and determine the requirements for ensuring the information security of the
university
2 Develop a set of models that determine the main components of the information risks of the
university (models of threats, intruders, vulnerabilities, damage)
3 Develop algorithms for analyzing and managing information risks of the university using
fuzzy cognitive maps
4 Develop tool tools for assessing the level of information risks of the university and
selecting the necessary countermeasures for managing information security
One of the most important components of the successful development of the society is
the security of its information resources. Information in the modern information society
becomes one of the key elements of business, it becomes the subject of purchase and sale
with value characteristics. Any processes in the financial, industrial, political or social sphere
are directly connected with information resources and use of information technologies.
Question 4
Select a technological innovation that has revolutionized the security industry and
validate both its effect on the industry from a management perspective and its
functional operation

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

SECURITY MANAGEMENT
Password verification
The verification of access rights by password consisted in the fact that each registered
user was provided with a personal password (some set of characters from a well-defined
alphabet), all passwords were stored in a protected area of the storage device, user access to
the system was allowed only when the password he presented was the same as the password
in the memory. The main advantage of this mechanism in its simplicity, the main drawback is
low reliability: short passwords can be unraveled by simply sorting out possible
combinations, long ones are hard to remember; In addition, a skilled attacker at the limited
efforts penetrated into the area of memory in which the reference passwords were stored. In
order to increase the reliability of the verification of rights, the following measures have been
developed: increasing the length of the alphabet from which the passwords were generated;
the use of multiple passwords; encryption of reference passwords and others (Shaikh & Fan,
2017).
Access to data arrays (databases) was restricted in several ways: by dividing arrays
(bases) into zones according to the degree of secrecy, providing each user with the
appropriate level of access; on the mandates given to users, in which the identifiers of those
elements of the data arrays (databases) were indicated, to which they were allowed access; on
a specially composed authorization matrix, the rows of which contained user identifiers,
columns - identifiers of elements of data arrays (databases), and at the intersection of rows
and columns - the symbol of the rights of the relevant user relative to the corresponding data
element (access is denied, allowed to read, write, then and other, etc.). Access control
mechanisms proved to be sufficiently effective and so necessary that in some modification
they are used up to now and will be used in the future too. The described protection
mechanisms were implemented using special programs that performed their functions under
the operating system of the protected computer.

SECURITY MANAGEMENT
But to ensure their effective functioning, special organizational measures are
necessary: the generation and distribution of passwords, the introduction of reference
passwords in the computer, the formation and maintenance of access control details, the
general organization of protection, etc (Yeh, & Chang,2007). The overall evaluation of the
mechanisms of the initial stage of protection is reduced to providing a certain level of
protection, but the problem as a whole was not solved, because experienced attackers found
ways and ways to overcome them. The most serious attempt to solve protection problems
information on the basic approach of the first phase of the program was the development of
so-called resource security (SVR) is performed on the instructions of one of the US military.
According to the task, the SVR was supposed to be an operating system for the computers
used, containing such mechanisms that would provide highly reliable protection of the
processed information from unauthorized access for malicious purposes. The main
mechanisms of protection were the recognition of users described above and the
differentiation of access. As providing, mechanisms were provided for monitoring the
protection and recording of unauthorized acts. For that time, the SVR was the most powerful
protection system. To verify it, a special commission was created that tested it for several
days by attempting unauthorized access to protected information.
The results of the verification for the SVR were disappointing: a significant number
of attempts at unauthorized penetration proved successful, and a number of these intrusions
were not detected by monitoring mechanisms and recorded by registration mechanisms. As a
result, the ordering agency refused to use the SVR in its work. The second stage is called the
stage of developed protection, and this development is determined by three characteristics: A
gradual realization of the need to integrate the goals of protection. The first result on this path
was the joint solution of the problems of ensuring the integrity of information and preventing
its unauthorized receipt. The expansion of the arsenal of remedies used, both in number and

SECURITY MANAGEMENT
in variety. Universal application of technical, program and organizational means has become
widespread. It has become widely practiced to protect information by cryptographic
transformation. In order to regulate the rules of protection in the leading countries, special
legislative acts began to be adopted in the established order. All used means of protection in
the system have become more and more purposefully integrated into functional independent
defense systems (subsystems). To illustrate the scope of the work at the second stage, let us
say that only for solving the problem user identification methods and tools were developed
based on the following characteristics: Traditional passwords, but according to complicated
procedures.
1 Functional and information models of the business processes of the organization, which
determine the basic requirements for its information security
2 Complex of system models defining the main components of information risks of the
organization
3 Algorithms for analysis and management of information risks of the organization based on
fuzzy cognitive maps
4 Software for automation of analysis and management of information risks of the
organization based on the construction of fuzzy cognitive maps
The scientific novelty of the work is that analysis and management of information
security, in contrast to existing approaches, is proposed to be carried out by constructing a

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SECURITY MANAGEMENT
fuzzy cognitive map of the object under investigation. In this case, the main laws and
standards regulating the legal and regulatory issues of maintaining information security at
various levels of the organization of society are noted. It is noted that the central place (Zhu
& Azar, 2015). When providing the IS regime in organizations, the task is to analyze and
manage information risks However, the well-known corporate documents on the provision of
the IS regime do not offer a universal method of risk management for different types of
organizations, in view of the specifics of the business processes of each organization.

SECURITY MANAGEMENT
Bibliography
Biggio, B., Fumera, G., Russu, P., Didaci, L., & Roli, F. (2015). Adversarial biometric
recognition: A review on biometric system security from the adversarial machine-
learning perspective. IEEE Signal Processing Magazine, 32(5), 31-41.
Biringer, B., Vugrin, E., & Warren, D. (2016). Critical infrastructure system security and
resiliency. CRC press.
Deane, J. P., Gracceva, F., Chiodi, A., Gargiulo, M., & Gallachóir, B. P. (2015). Assessing
power system security. A framework and a multi model approach. International
Journal of Electrical Power & Energy Systems, 73, 283-297.
Dhillon, G., & Backhouse, J. (2000). Technical opinion: Information system security
management in the new millennium. Communications of the ACM, 43(7), 125-128.
Mao, A., & Iravani, M. R. (2014). A trend-oriented power system security analysis method
based on load profile. IEEE Transactions on Power Systems, 29(3), 1279-1286.
Pearcy, D. P., Heinrich, J. A., & Gaskins, J. J. (2015). U.S. Patent No. 8,973,147.
Washington, DC: U.S. Patent and Trademark Office.
Sallam, A. S. (2016). U.S. Patent No. 9,262,246. Washington, DC: U.S. Patent and
Trademark Office.
Shaikh, F., Ji, Q., & Fan, Y. (2017). An ecological network analysis of the structure,
development and sustainability of China’s natural gas supply system
security. Ecological indicators, 73, 235-246.
Yeh, Q. J., & Chang, A. J. T. (2007). Threats and countermeasures for information system
security: A cross-industry study. Information & Management, 44(5), 480-491.

SECURITY MANAGEMENT
Zhu, Q., & Azar, A. T. (Eds.). (2015). Complex system modelling and control through
intelligent soft computations. Germany: Springer.