**1. Introduction**

86 Security Enhanced Applications for Information Systems

973 Program of China under Grant No. 2009CB320706, the National High Technology Research and Development Program of China under Grant No. 2011AA010101, the National Natural Science Foundation of China under Grant No. 61103197 and 61073009, Program of New Century Excellent Talents in University of Ministry of Education of China under Grant No. NCET-06-0300, the Youth Foundation of Jilin Province of China under Grant No. 201101035, and the Fundamental Research Funds for the Central Universities of China

Anderson, J.P. (1980). Computer Security Threat Monitoring and Surveillance, Technical report, James P Anderson Corporation: Fort Washington, Pennsylvania Allen, J.; Christie, W.; Fithen, et al. (2000). State of the practice of intrusion detection

Denning, D. E. (1987). An Intrusion Detection Model. *IEEE Transactions on Software* 

Drinic, M.; & Kirovski, D. (2004). A hardware-software platform for intrusion prevention,

Weaver, N.; Paxson V.; & Gonzalez, J.M. (2007). The shunt: an FPGA-based accelerator for

Uppuluri, P.; Joshi U.; & Ray, A. (2005). Preventing race condition attacks on file-systems,

Feinstein, B. & Matthews, G. (2007). The Intrusion Detection Exchange Protocol (IDXP), IETF RFC 4767, 24.10.2011, Available from http://www.ietf.org/rfc/rfc4767.txt, 2007 Debar, H.; Curry, D. & Feinstein, B. (2007). The Intrusion Detection Message Exchange

Gupta, D.; Buchheim, T.; Matthews, G. et al. (2001). IAP: Intrusion Alert Protocol IETF

*Engineering*, Vol.13, No.2, (1987), pp. 222-232, ISSN: 0098-5589

233-242, ISBN 0-7695-2126-6, Oregon, Portland, USA, 2004,

technologies, S Technical report: CMU/ SEI2992TR2028, Software Engineering

*Proceedings of 37th annual IEEE/ACM international symposium on microarchitecture*, pp:

network iintrusion prevention, *Proceedings of 2007 ACM/SIGDA 15th international symposium on field programmable gate arrays*, pp:199-206, ISBN 978-1-59593-600-4,

*Proceedings of 2005 ACM symposium on applied computing*, pp:346-353, ISBN 978-1-

Format (IDMEF), IETF RFC 4765, 24.10.2011, Available from

IDWG Draft, 24.10.2011, Available from http://tools.ietf.org/html/draft-ietf-idwg-

under Grant NO.200903179.

Institute, Carnegie Mellon University

Monterey, California, USA, 2007

iap-05, 2001.

58113-964-8, Santa Fe, New Mexico, USA, 2005

http://www.ietf.org/rfc/rfc4765.txt, 2007

**8. References** 

Globalization is a phenomenon that is bringing the world closer together through the exchange of raw goods, products, services, information, knowledge, and culture. Unprecedented advancements in technology, communications, science, transport, and industry have quickened the pace of global integration. The globalization process is creating and accelerating the emergence of transnational markets. Due to the presence of a worldwide market, there is a wider range of options to choose from among the products and services for building information systems.

The global supply chain and system complexity obscure "what's in the system." Systems are vulnerable to counterfeits, malicious inserts, or negligent design flaws. In today's global environment, one cannot afford to manage risks by simply seeking to avoid risks. The traditional discourse is that of risk avoidance. However, risk avoidance is untenable in an economic environment that operates globally with great variation in performance and with rapidly changing processes and technologies of consumption of production. Risks must be actively managed. Risk reduction comes at an expense with cost, schedule, and performance impacts to building trusted information systems. It may cost less to build robustness below some threshold of concern than to eliminate the risks, but it costs more than ignoring the risks. To find the right balance between the benefits, costs, and risks associated with globalization, one needs to understand how globalization works, the issues and challenges, and the subsequent system design and policy choices.

This book chapter discusses several research areas that address the effects of globalization coupled with the increasing complexity of building trusted information systems. The growing trend of globalization demands a more inclusive and persistent approach for actively managing risks in building trusted information systems. For example, the multifaceted, transitory, and global nature of the commercial information and communications technology (ICT) marketplace is limiting visibility into the supply and suppliers. One of the main challenges is verification of trustworthy components and services in the design, development, test, production, deployment, operation, and maintenance of trusted information systems.

<sup>1</sup> The publication of this book chapter does not indicate endorsement by the Department of Defense (DoD) or the Institute for Defense Analyses (IDA), nor should the contents be construed as reflecting the official position of those organizations.

Challenges in Building Trusted Information Systems 89

inserted as part of the system at any time during the life cycle (NDIA, 2008). The ideal scenario where no exploitable vulnerabilities exist is unrealistic. Therefore, active risk management must be performed to reduce the probability and impact of vulnerabilities to

Confidence establishes trustworthiness and tolerable residual risk. Trust in any information system is really the result of the methods employed to assure confidence in the system, both

Trust and risk are closely related. Trust can be described as the willingness to take risk (Mayer et al., 1995, as cited in Laeequddin et al., 2008). Trust can be defined in terms of willingness to assume risk, intention in terms of willingness to assume risk, intention to make oneself vulnerable, acceptance of risk, and readiness to assume risk (Chopra & Wallace, 2003, as cited in Zuo & Hu, 2009). Meanwhile, risk is about choice; the action that is

Table 1 sorts risks into several basic categories and lists the areas they affect (Kleim, 2004).

in its functions and protection of the information it holds and the results it produces.

undertaken (Bernstein, 1996, as cited in Laeequddin et al., 2008).

**Technical** Tools, techniques, and standards **Managerial** Decision making and reporting **Behavior** Managing and leading people

**Legal** Governmental laws and regulatory considerations

 *Intent* – the desire or motivation to attack a target and cause adverse effects. *Capability* – the ability and capacity to attack a target and cause adverse effects.

*Risk* – the result of a threat with adverse effects to a vulnerable system.

(Haimes, 2006) defines the following terms that have been broadly applied to risk analysis: *Vulnerability* – the manifestation of the inherent states of the system (e.g., physical, technical, organizational, cultural) that can be exploited to adversely affect (cause harm

*Threat* – the intent and capability to adversely affect (cause harm or damage to) the

The term 'susceptibility' is missing from the above list of definitions. The authors posit that one cannot manage risk unless there is an understanding of susceptibility. Understanding threat and vulnerability is necessary but not sufficient. Susceptibility is the intersection of threat (access) and vulnerability (opportunity). A viable threat requires access and a vulnerability provides an exploitable opportunity. A risk is realized when the susceptibility occurs at a certain instance or point in time. If threat and vulnerability intersect and there are no defenses, then the consequences of the realized risk must be tolerated (Chan &

These risks are not necessarily mutually exclusive.

**Risk Type Affected Area Financial** Budget and cost

Table 1. Types of Risks and Affected Areas

system by adversely changing its states.

or damage to) that system.

Larsen, 2010).

tolerable levels of risks.

**4. Trust & risk** 
