**4. Trust & risk**

88 Security Enhanced Applications for Information Systems

Globalization is linking people and things at a faster pace than ever before. With global markets, supply chains have become more intricate, uncertain, and unpredictable. Therefore, globalization presents challenging problems to assuring the integrity of components used to build trustworthy information systems and networks. Critical information systems should be composed of parts that are trusted to do only that which is expected or specified and to do so reliably and dependably. Global supply chains are vulnerable to questions of unknown product or service provenance, which subsequently leads to questionable trustworthiness of

Both globalization and outsourcing are creating longer supply chains. Outsourcing creates a greater dependency on outsiders – procuring ever-more-complex and more critical products from external strategic suppliers instead of developing products in-house (Bolgar, 2010). Outsourcing projects can provide a number of benefits, including cost savings, increased productivity, improved schedule performance, and higher quality of work (Kliem, 2004). However, extended supply chains greatly increase the complexity of the supply network and decrease the visibility of risks. Nevertheless, globalization provides an opportunity to increase the security of mission critical information systems. The global marketplace can be leveraged to propagate better information assurance techniques and security practices in

An information system is specifically designed to operate on information, i.e., information is the flow variable in the system. In general, systems are designed for a purpose and have the

A system can be defined as a combination of hardware, software, infrastructure, and trained personnel operating to achieve specified mission objectives. This definition of system includes both the communications technology and information that is employed in addition

Modern information systems increasingly rely on globally sourced ICT components and services. The variety and abundance in the marketplace is driven by the rapid decline in cost and the rapid increase in performance advancements. As supply is able to meet the demand for low cost and more functions, today's information systems are increasingly complex in

One foundation for building trusted information systems is systems assurance. Systems assurance is defined as the justified confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or

the supplied items and the suppliers in the supply chain.

designing and building trusted information systems.

**3. Information systems** 

 Consume (ingest) Process (convert) Produce (output)

Store (hold)

nature.

following operational properties:

**3.1 Trusted information systems** 

Control signalling (regulate operations)

to the way in which people interact with the technology.

**2. Globalization**

Trust and risk are closely related. Trust can be described as the willingness to take risk (Mayer et al., 1995, as cited in Laeequddin et al., 2008). Trust can be defined in terms of willingness to assume risk, intention in terms of willingness to assume risk, intention to make oneself vulnerable, acceptance of risk, and readiness to assume risk (Chopra & Wallace, 2003, as cited in Zuo & Hu, 2009). Meanwhile, risk is about choice; the action that is undertaken (Bernstein, 1996, as cited in Laeequddin et al., 2008).

Table 1 sorts risks into several basic categories and lists the areas they affect (Kleim, 2004). These risks are not necessarily mutually exclusive.


Table 1. Types of Risks and Affected Areas

(Haimes, 2006) defines the following terms that have been broadly applied to risk analysis:


The term 'susceptibility' is missing from the above list of definitions. The authors posit that one cannot manage risk unless there is an understanding of susceptibility. Understanding threat and vulnerability is necessary but not sufficient. Susceptibility is the intersection of threat (access) and vulnerability (opportunity). A viable threat requires access and a vulnerability provides an exploitable opportunity. A risk is realized when the susceptibility occurs at a certain instance or point in time. If threat and vulnerability intersect and there are no defenses, then the consequences of the realized risk must be tolerated (Chan & Larsen, 2010).

Challenges in Building Trusted Information Systems 91

calculus that brings threats and vulnerabilities into coincidence to identify a risk of concern. Combining the identified risks of concern with an evaluation of how to reduce the adverse consequences of risk realizations enables the generation of a ranked list of susceptibilities. These susceptibilities provide input to risk managers to determine some combination of investments to reduce the impact of risks to mission tolerable levels of outcome that can be selected and implemented. This general approach is applicable to any specific class of all risks and contributes to the overall trade-space of risks to successful execution of mission

Risk management is the process of responding to an event that offers negative or positive consequences. The goal is to maximize the gain from positive risks (opportunities) and minimize the loss from negative risks (Kliem, 2004). Risk management includes risk identification, risk analysis, and risk mitigation. Generally, the necessary steps to effective risk management are to (1) identify any potential risks, (2) assess the levels of threats, and (3) develop countermeasures and mitigations to reduce risks. Countermeasures are defined as actions or devices designed to negate or offset another whereas mitigations are defined as

Qualitative analysis of the risk level helps to better prioritize risk (Khanmohammadi & Houmb, 2010) for obligating resources to reduce risk. After gaining a shared understanding of the impact and relative importance of risks, appropriate risk controls (Kleim, 2004) may

*Preventative controls* – techniques that mitigate the impact of a risk or stop it before

*Corrective controls* – techniques that involve determining the impact of a risk and require

*Detective controls* – techniques that reveal the existence of a risk and preclude future

A traditional view in risk management is to "avoid risk." In reality, many people ignore risk because they do not understand it. However, risks cannot be ignored nor can all risks be eliminated. Attempting to eliminate all risks by applying countermeasures and mitigations is economically untenable. Residual risks will always remain. Due to these factors, active risk management is required to establish tolerable levels of trust and risk. Furthermore, many existing risk management models are not applicable to supply chain networks. There is a lack of a satisfactory framework to analyze information risks unique to a supply chain network and to provide a structure to organize the deliberations and tools for managing supplier and supply chain risks for ICT components and services bound for trusted

Globalization, more than many other factors, brings the uncertainties of an information operating environment into consideration of risks and the ways and means of countering and mitigating them. Furthermore, when the operating environment is a third party system of vulnerabilities, threats, intentions, capabilities, and risks for which every other system is

actions that can be taken to help reduce the impact of realized risks.

establishing measures to preclude future impacts (mitigation).

impact under similar conditions (vulnerability detection).

performance.

**4.1 Risk management** 

be selected to be implemented:

information systems and networks.

**5. Research areas** 

having an impact (countermeasure).

The nature of the risk being addressed in this chapter is fundamentally different from the current view of risk. The current view of risk focuses on vulnerabilities and motives to exploit the vulnerabilities. These risks are distinct from risks for which a threat actor makes deliberate investment to create an opportunity and trigger the realization of the risk for malicious purposes. Globalization creates conditions of supply that enable malicious threat actors to enrich their opportunities to craft susceptibility which may later be triggered to produce adverse consequences.

The classes of risks that have gone unaddressed are those of supply chain exploitation, particularly exploits motivated by malice. These risks are the most difficult to detect. A malicious actor may not exploit vulnerabilities immediately but insert an opportunity to exploit at some point in the lifecycle development of the item of supply. The malicious actor's opportunity can occur at any time from cradle to grave. This type of malice is hard to detect because a threat actor has opportunity separate from the invocation of the risk to be realized. The malicious actor invests in providing "extra sauce" to the item of supply being consumed. Therefore, there is a need to counter invest to provide the ways and means that manage the risk of malicious exploitation of the supply chain.

Figure 1 illustrates susceptibility analyses as the center of gravity for risk management with respect to supply chain exploits. In a general context, any risk management effort needs a

Fig. 1. Susceptibility Analyses as Center of Gravity

calculus that brings threats and vulnerabilities into coincidence to identify a risk of concern. Combining the identified risks of concern with an evaluation of how to reduce the adverse consequences of risk realizations enables the generation of a ranked list of susceptibilities. These susceptibilities provide input to risk managers to determine some combination of investments to reduce the impact of risks to mission tolerable levels of outcome that can be selected and implemented. This general approach is applicable to any specific class of all risks and contributes to the overall trade-space of risks to successful execution of mission performance.

#### **4.1 Risk management**

90 Security Enhanced Applications for Information Systems

The nature of the risk being addressed in this chapter is fundamentally different from the current view of risk. The current view of risk focuses on vulnerabilities and motives to exploit the vulnerabilities. These risks are distinct from risks for which a threat actor makes deliberate investment to create an opportunity and trigger the realization of the risk for malicious purposes. Globalization creates conditions of supply that enable malicious threat actors to enrich their opportunities to craft susceptibility which may later be triggered to

The classes of risks that have gone unaddressed are those of supply chain exploitation, particularly exploits motivated by malice. These risks are the most difficult to detect. A malicious actor may not exploit vulnerabilities immediately but insert an opportunity to exploit at some point in the lifecycle development of the item of supply. The malicious actor's opportunity can occur at any time from cradle to grave. This type of malice is hard to detect because a threat actor has opportunity separate from the invocation of the risk to be realized. The malicious actor invests in providing "extra sauce" to the item of supply being consumed. Therefore, there is a need to counter invest to provide the ways and means that

Figure 1 illustrates susceptibility analyses as the center of gravity for risk management with respect to supply chain exploits. In a general context, any risk management effort needs a

manage the risk of malicious exploitation of the supply chain.

Fig. 1. Susceptibility Analyses as Center of Gravity

produce adverse consequences.

Risk management is the process of responding to an event that offers negative or positive consequences. The goal is to maximize the gain from positive risks (opportunities) and minimize the loss from negative risks (Kliem, 2004). Risk management includes risk identification, risk analysis, and risk mitigation. Generally, the necessary steps to effective risk management are to (1) identify any potential risks, (2) assess the levels of threats, and (3) develop countermeasures and mitigations to reduce risks. Countermeasures are defined as actions or devices designed to negate or offset another whereas mitigations are defined as actions that can be taken to help reduce the impact of realized risks.

Qualitative analysis of the risk level helps to better prioritize risk (Khanmohammadi & Houmb, 2010) for obligating resources to reduce risk. After gaining a shared understanding of the impact and relative importance of risks, appropriate risk controls (Kleim, 2004) may be selected to be implemented:


A traditional view in risk management is to "avoid risk." In reality, many people ignore risk because they do not understand it. However, risks cannot be ignored nor can all risks be eliminated. Attempting to eliminate all risks by applying countermeasures and mitigations is economically untenable. Residual risks will always remain. Due to these factors, active risk management is required to establish tolerable levels of trust and risk. Furthermore, many existing risk management models are not applicable to supply chain networks. There is a lack of a satisfactory framework to analyze information risks unique to a supply chain network and to provide a structure to organize the deliberations and tools for managing supplier and supply chain risks for ICT components and services bound for trusted information systems and networks.

#### **5. Research areas**

Globalization, more than many other factors, brings the uncertainties of an information operating environment into consideration of risks and the ways and means of countering and mitigating them. Furthermore, when the operating environment is a third party system of vulnerabilities, threats, intentions, capabilities, and risks for which every other system is

Challenges in Building Trusted Information Systems 93

**Active**

**Risk**

**Management**

**Persistent vulnerability detection occurs throughout for indicators and warning signs**

management of risk. Modern and future dependence on information systems require a systematic development of research areas to deal with the problem space holistically. Otherwise, only partial knowledge and solutions are obtained because the focus is only on particular issues and solutions. A holistic perspective to identify risk and quality of

Cyberspace is a domain constructed by man and constantly under construction (Welch, 2011). Modern information systems are connected to one another via networks. Functions essential to the computer control of the networks, information flowing or stored in the networks, and the decision support systems supported by the networks are subject to both physical damage and attacks that affect the logical realm. Table 2 maps six potential cyber attacks and their effects on information (Musman et al., 2011) and the impacted information assurance (IA) categories of confidentiality, integrity, and availability. Each 'X' represents an affirmative answer to the following question: Does the attack type, as defined, affect the IA category? Confidentiality refers to the prevention of unauthorized disclosure of data (both stored and communicated). Integrity refers to the prevention of unauthorized modification of data (both stored and communicated); detection and notification of unauthorized

**2. Employ** 

**during a** 

**countermeasures and mitigations** 

**3. Assess and adjust risk management** 

**strategies** 

**realized risk event**

**5.1 Cyber attacks** 

Fig. 3. Active Risk Management Activities

implementation is therefore required.

**1. Identify risks and select mitigation strategies**

dependent, the dynamics of the whole are considerably more difficult to assess, analyze, and apply actions to control or influence. The current research and development (R&D) agenda for single systems or systems-of-systems is more deliberate and explicit about particular characteristics of a system or collection of systems. While this work is improving the understanding of a "system," it is deficient in the totality of characteristics, knowledge, and techniques need to actually manage risks.

The authors suggest a paradigm of active risk management that requires a continuous feedback loop. Figure 2 illustrates a risk event timeline in three phases: pre-risk event, transitional risk event, and post-risk event. In each phase, there exist indicators and warnings to a potential risk occurrence. Vulnerability detection must occur at all times to seek out opportunities to prevent risks or mitigate risks to reduce impacts further downstream. Figure 3 illustrates the continuous feedback loop for active risk management. The activities for each of the three phases of active risk management seek to answer questions such as the ones listed below:

	- a. What can go wrong?
	- b. What is the likelihood?
	- c. What are the consequences?
	- d. And at what time domain?
	- e. What can be done and what options are available?
	- f. What are the associated trade-offs in terms of all relevant costs, benefits, and risks?
	- a. What can be done and what options are available?
	- b. What are the associated trade-offs in terms of all relevant costs, benefits, and risks?
	- c. What are the impacts of current management decisions on future options?
	- a. What are the associated trade-offs in terms of all relevant costs, benefits, and risks?
	- b. What are the impacts of current management decisions on future options?
	- c. What can be done and what options are available?

Note that active risk management is a continuous cycle, with some of the same questions being asked and answered throughout. Further note that a risk must be experienced at least once, otherwise it is just theory and not practice.

Fig. 2. Risk Event Timeline

The effects of globalization set up a rich set of challenges, issues, and opportunities for research. Globalization further begs for a broad and interdisciplinary agenda of research to relate the pace, tempo, and interaction of the environment with information systems. Current research is not driven by a totality of systems view nor does it deal with active

dependent, the dynamics of the whole are considerably more difficult to assess, analyze, and apply actions to control or influence. The current research and development (R&D) agenda for single systems or systems-of-systems is more deliberate and explicit about particular characteristics of a system or collection of systems. While this work is improving the understanding of a "system," it is deficient in the totality of characteristics, knowledge, and

The authors suggest a paradigm of active risk management that requires a continuous feedback loop. Figure 2 illustrates a risk event timeline in three phases: pre-risk event, transitional risk event, and post-risk event. In each phase, there exist indicators and warnings to a potential risk occurrence. Vulnerability detection must occur at all times to seek out opportunities to prevent risks or mitigate risks to reduce impacts further downstream. Figure 3 illustrates the continuous feedback loop for active risk management. The activities for each of the three phases of active risk management seek to answer

f. What are the associated trade-offs in terms of all relevant costs, benefits, and risks?

b. What are the associated trade-offs in terms of all relevant costs, benefits, and risks?

a. What are the associated trade-offs in terms of all relevant costs, benefits, and risks?

Note that active risk management is a continuous cycle, with some of the same questions being asked and answered throughout. Further note that a risk must be experienced at least

**1. Pre‐Risk Event 2. Transitional Risk Event 3. Post‐Risk Event**

The effects of globalization set up a rich set of challenges, issues, and opportunities for research. Globalization further begs for a broad and interdisciplinary agenda of research to relate the pace, tempo, and interaction of the environment with information systems. Current research is not driven by a totality of systems view nor does it deal with active

c. What are the impacts of current management decisions on future options? 3. *Post-Risk Event*: Evaluate the implemented countermeasures and mitigations, and

b. What are the impacts of current management decisions on future options?

1. *Pre-Risk Event*: Identify and select risks to invest in doing something

e. What can be done and what options are available?

c. What can be done and what options are available?

2. *Transitional Risk Event*: Deploy countermeasures and mitigations a. What can be done and what options are available?

techniques need to actually manage risks.

questions such as the ones listed below:

a. What can go wrong? b. What is the likelihood? c. What are the consequences? d. And at what time domain?

readjust strategy if necessary

Fig. 2. Risk Event Timeline

once, otherwise it is just theory and not practice.

#### Fig. 3. Active Risk Management Activities

management of risk. Modern and future dependence on information systems require a systematic development of research areas to deal with the problem space holistically. Otherwise, only partial knowledge and solutions are obtained because the focus is only on particular issues and solutions. A holistic perspective to identify risk and quality of implementation is therefore required.

#### **5.1 Cyber attacks**

Cyberspace is a domain constructed by man and constantly under construction (Welch, 2011). Modern information systems are connected to one another via networks. Functions essential to the computer control of the networks, information flowing or stored in the networks, and the decision support systems supported by the networks are subject to both physical damage and attacks that affect the logical realm. Table 2 maps six potential cyber attacks and their effects on information (Musman et al., 2011) and the impacted information assurance (IA) categories of confidentiality, integrity, and availability. Each 'X' represents an affirmative answer to the following question: Does the attack type, as defined, affect the IA category? Confidentiality refers to the prevention of unauthorized disclosure of data (both stored and communicated). Integrity refers to the prevention of unauthorized modification of data (both stored and communicated); detection and notification of unauthorized

Challenges in Building Trusted Information Systems 95

Pre‐Event

Timing Classes Transitional‐

Event

Reconstitute

Most information security losses are due to the theft of proprietary information, a feat usually executed by insiders. An "insider" is stereotypically an employee, contractor, business partner, or anybody who has any level of legitimate access, driven by a wide range of reasons, both rational (e.g., money, status, power) and irrational (e.g., revenge, frustration, emotion pain, other personal problems) (Chuvakin, 2003). Insiders can be

Non-malicious insiders compromise security due to their mistakes. Non-malicious users include people who want to "explore" the network or "improve" how things work without regard to security regulations. Non-malicious users present a hazard to the enterprise because they can incorrectly destroy information, degrade the availability and integrity of computing resources, and create opportunities for outsider attackers. Non-malicious insiders may also be unwitting participants, under the control of a malicious insider who uses social engineering techniques such as direct requests, persuasion, and other forms of deception. Hackers are known to evaluate the target information system, get initial information about the protective measures, and then launch social engineering attacks to

Malicious insiders are generally motivated by greed, a need for acknowledgment, sabotage, revenge, or a desire to be irreplaceable by creating problems only they can fix. Malicious insiders act to eavesdrop on a private communication, steal or damage data, use information in violation of company policy, or deny access to other authorized users (Chuvakin, 2003). One proposed paradigm shift is to think of the supply chain problem as an insider threat problem. Because globalization expands insider access and knowledge of critical information systems to new populations, the information systems being built today are exposed to greater insider threat risk. The insider threat problem requires research in the areas of threat identification and appropriate countermeasures and mitigation. Moreover, the insider may not only be human. The machine (e.g., any logic-bearing or programmable

ICT component) is a potential insider threat in an information system and network.

Action

categorized by their intent into non-malicious and malicious insiders.

enlist insiders to do their bidding (Chuvakin, 2003).

Fig. 4. Framework for Potential Risk Mitigation Strategies for Information Systems

Classes

Recover Mitigate Remediate Prevent

Availability Confidentiality Integrity

Impact Categories

Post‐Event

Preventative Risk Mitigation Strategies (Addressed by Key Practices

Known/Suspected Risk Mitigation

and Best Practices)

36 potential situational‐ based mitigation categories i.e., (4‐Action Classes) x (3‐Timing Classes) x (3‐Impact Categories)

Strategies

**5.2 Insider threat** 

Key

modification of data; and recording of all changes to data. Availability refers to the timely, reliable access to data and information services for authorized users. Availability attacks include destruction of assets and denial-of-service.

Table 2 highlights the importance of protecting integrity, yet this area is the least mature. Currently, there is a lot of research work that address confidentiality and availability. Most information systems assurance work deals with various malicious attacks that range from computer viruses, network penetration, and system breaches (Zuo & Hu, 2009). Availability can be preserved through asset diversity means (e.g., network path diversity). Confidentiality preservation mechanisms include authentication and authorization so that sensitive information is protected from unauthorized users. Encryption is a technique usually assumed to answer confidentiality and integrity issues. However, there is not much conducted research with regards to trusting the encryptor and protecting the integrity of information and data within an information system.

Figure 4 illustrates 36 potential situational-based mitigation categories that address integrity, confidentiality, and availability. Mitigations are time-dependent: pre-risk event, transitional risk event, and post-risk event. Potential risk management strategies can be classified as: prevention, remediation, mitigation, recovery, and reconstitution. Preventative strategies are usually derived from key and leading practices. Much research work is required to develop and organize the other types of risk management strategies. Figure 4 provides an illustrative framework to begin categorizing ways and means to manage risks represented by an action (applied pre-, trans-, or post-event) with an intended impact of the potential or actual loss of integrity, confidentiality, and availability.


Table 2. Information Assurance Impacts Due to Various Cyber Attacks

Fig. 4. Framework for Potential Risk Mitigation Strategies for Information Systems

#### **5.2 Insider threat**

94 Security Enhanced Applications for Information Systems

modification of data; and recording of all changes to data. Availability refers to the timely, reliable access to data and information services for authorized users. Availability attacks

Table 2 highlights the importance of protecting integrity, yet this area is the least mature. Currently, there is a lot of research work that address confidentiality and availability. Most information systems assurance work deals with various malicious attacks that range from computer viruses, network penetration, and system breaches (Zuo & Hu, 2009). Availability can be preserved through asset diversity means (e.g., network path diversity). Confidentiality preservation mechanisms include authentication and authorization so that sensitive information is protected from unauthorized users. Encryption is a technique usually assumed to answer confidentiality and integrity issues. However, there is not much conducted research with regards to trusting the encryptor and protecting the integrity of

Figure 4 illustrates 36 potential situational-based mitigation categories that address integrity, confidentiality, and availability. Mitigations are time-dependent: pre-risk event, transitional risk event, and post-risk event. Potential risk management strategies can be classified as: prevention, remediation, mitigation, recovery, and reconstitution. Preventative strategies are usually derived from key and leading practices. Much research work is required to develop and organize the other types of risk management strategies. Figure 4 provides an illustrative framework to begin categorizing ways and means to manage risks represented by an action (applied pre-, trans-, or post-event) with an intended impact of the

**Category Effect on Information Confidentiality Integrity Availability** 

for some time period <sup>X</sup>

captured by the attacker X X X

entered into the system <sup>X</sup>

future effects on information X X

**Information Assurance Categories** 

X

X X

include destruction of assets and denial-of-service.

information and data within an information system.

**Attack** 

**Degradation** 

**Modification** 

**Unauthorized Use** 

potential or actual loss of integrity, confidentiality, and availability.

Rate of information delivery is decreased; Quality or precision of information produced by an activity is

decreased

**Interruption** Information is unavailable

results

**Interception** Information has been

**Fabrication** False information has been

Information has been altered, meaning that the processes that use it may fail, or produce incorrect

Raises the potential for

Table 2. Information Assurance Impacts Due to Various Cyber Attacks

Most information security losses are due to the theft of proprietary information, a feat usually executed by insiders. An "insider" is stereotypically an employee, contractor, business partner, or anybody who has any level of legitimate access, driven by a wide range of reasons, both rational (e.g., money, status, power) and irrational (e.g., revenge, frustration, emotion pain, other personal problems) (Chuvakin, 2003). Insiders can be categorized by their intent into non-malicious and malicious insiders.

Non-malicious insiders compromise security due to their mistakes. Non-malicious users include people who want to "explore" the network or "improve" how things work without regard to security regulations. Non-malicious users present a hazard to the enterprise because they can incorrectly destroy information, degrade the availability and integrity of computing resources, and create opportunities for outsider attackers. Non-malicious insiders may also be unwitting participants, under the control of a malicious insider who uses social engineering techniques such as direct requests, persuasion, and other forms of deception. Hackers are known to evaluate the target information system, get initial information about the protective measures, and then launch social engineering attacks to enlist insiders to do their bidding (Chuvakin, 2003).

Malicious insiders are generally motivated by greed, a need for acknowledgment, sabotage, revenge, or a desire to be irreplaceable by creating problems only they can fix. Malicious insiders act to eavesdrop on a private communication, steal or damage data, use information in violation of company policy, or deny access to other authorized users (Chuvakin, 2003).

One proposed paradigm shift is to think of the supply chain problem as an insider threat problem. Because globalization expands insider access and knowledge of critical information systems to new populations, the information systems being built today are exposed to greater insider threat risk. The insider threat problem requires research in the areas of threat identification and appropriate countermeasures and mitigation. Moreover, the insider may not only be human. The machine (e.g., any logic-bearing or programmable ICT component) is a potential insider threat in an information system and network.

Challenges in Building Trusted Information Systems 97

Organizations are addressing new threats and opportunities presented by the question: "where does this stuff come from?" Due to the magnitude of the global sourcing issue and the multi-layered nature of the global supply chain, there are more variance and unpredictable factors in the environment to control. Therefore, a high level of supply chain visibility can be incorporated into the risk management processes to reduce product and performance related errors, and enhance the quality and responsiveness to risk incident occurrence (Tse & Tan, 2011). Due to the longer supply chains, it is critical to enhance the supply chain risk visibility by examining sub-tier suppliers and adjusting the supplier

Issues of provenance can be applied to both physical artifacts and to information. Provenance can be identified in in two distinct ways: the source (or derivation) of an object and the record of the derivation (Moreau et al., 2008). Much of the provenance work has been applied to artifacts, especially in archives, art, and archaeology. Provenance has recently become essential for digital documents in financial, commercial, medical, scientific, and legal contexts. Such information often originates in a remote location, gets processed by multiple parties, and resides in potentially untrustworthy storage (Hasan et al., 2009). In order to trust the information in a document, its provenance must be known because it is increasingly important to know where the information comes from and how it has been

More provenance research work is needed in the area of information and knowledge management, specifically electronic data. Electronic data does not usually contain historical information that would help end users, reviewers, or regulators. Process documentation is to electronic data as record of ownership is to a work of art (Moreau et al., 2008). A user's confidence in an application's electronic data can be increased by including the provenance that describes the process that led to the data's production. Digital data provenance tracking is useful for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through information systems and networks. While significant research is being conducted in this area, the associated security and privacy issues have not been explored, leaving provenance information vulnerable to illicit alteration as it passes through untrusted environments (Hasan et al., 2009). Therefore, provenance of electronic data does not completely address or assure

Security and privacy have different requirements but share a point of intersection; security can be achieved without privacy, and privacy cannot be preserved without security. Security is provided by a "system" that handles information. Privacy begins with an accountable action taken by a user of information machinery. If the "system" consists of a user (human) and the machinery, then the information system can be designed to holistically intersect to provide security and privacy by employing machine handling of information to achieve both security and privacy protections. However, privacy begins with the human who enters information into the machine and authorizes its use and transmission by the machine component of the "system" or "network." No amount of machine security

**5.4 Provenance & supply chain visibility** 

processed and handled.

integrity.

**5.5 Security & privacy** 

assessment process with the insights gained in a cyclic manner.

Most modern ICT are programmable and expected to execute operations with a degree of predictable variability. Unfortunately, this property of programmability enables malicious intent to also be implemented. This may take the form of design or incorrect implementation of design with residual vulnerability able to be exploited at one extreme. On the other extreme, it may be the deliberate insertion of programming intended to be exploited or triggered with the intent of malicious effect. The very property of programmability that gives great flexibility and range of utility is also an intrinsic vulnerability to be exploited from the outside (the most common form of threat exploit) or from the inside (the deliberate inclusion of programming that allows the device to behave as an insider – normal behavior in all respects until triggered to behave with intent to create malicious effects).

#### **5.3 Vulnerability detection**

Detecting the human insider threat problem has been explored extensively. This concept depends on an understanding of correct behavior and the ability to observe the correctness of expected behavior. Humans are "programmed" through cultural norms, training, and education to behave correctly. However, human-machine systems can be exploited by human insiders to exhibit anomalous behaviors.

Modern information systems have ICT-enabled advantages such as programmability. The programmability property provides variability that leads to flexibility which simultaneously gives rise to vulnerabilities. As the machinery of information systems has become increasingly programmable, complex, interconnected, and pervasive, the machine is becoming the means of malicious insider exploitation. Table 3 presents malicious vulnerability examples that can be inflicted by human or machine to another human or machine. Traditional methods of detection (e.g., behavioral approaches) are used to detect man-made vulnerabilities (e.g., conspiracies and hacking). Machine vulnerabilities may be inherent in the hardware equipment and require human testing to detect. Globalization of the suppliers and the programmable nature of supplied items have vastly increased the opportunities for "insider behavior" implemented not by humans but by the machinery. The authors assert that an R&D agenda is required in counter-investment to understand, implement, and apply countermeasures and mitigations designed to meet what is functionally an insider threat realized in and executed by machine.


Table 3. Malicious Vulnerability Examples

As integrated circuit (IC) fabrication work is increasingly outsourced due to much lower costs, hardware manufacturers face significant security risks for ICs used in critical information systems and networks. Local, high-end, trusted facilities are economically unviable given the global economy. Further research work is required to address the uncertainty in provenance and hardware integrity. Example areas include digital IC fingerprinting and IC authentication tools and techniques.

#### **5.4 Provenance & supply chain visibility**

96 Security Enhanced Applications for Information Systems

Most modern ICT are programmable and expected to execute operations with a degree of predictable variability. Unfortunately, this property of programmability enables malicious intent to also be implemented. This may take the form of design or incorrect implementation of design with residual vulnerability able to be exploited at one extreme. On the other extreme, it may be the deliberate insertion of programming intended to be exploited or triggered with the intent of malicious effect. The very property of programmability that gives great flexibility and range of utility is also an intrinsic vulnerability to be exploited from the outside (the most common form of threat exploit) or from the inside (the deliberate inclusion of programming that allows the device to behave as an insider – normal behavior

Detecting the human insider threat problem has been explored extensively. This concept depends on an understanding of correct behavior and the ability to observe the correctness of expected behavior. Humans are "programmed" through cultural norms, training, and education to behave correctly. However, human-machine systems can be exploited by

Modern information systems have ICT-enabled advantages such as programmability. The programmability property provides variability that leads to flexibility which simultaneously gives rise to vulnerabilities. As the machinery of information systems has become increasingly programmable, complex, interconnected, and pervasive, the machine is becoming the means of malicious insider exploitation. Table 3 presents malicious vulnerability examples that can be inflicted by human or machine to another human or machine. Traditional methods of detection (e.g., behavioral approaches) are used to detect man-made vulnerabilities (e.g., conspiracies and hacking). Machine vulnerabilities may be inherent in the hardware equipment and require human testing to detect. Globalization of the suppliers and the programmable nature of supplied items have vastly increased the opportunities for "insider behavior" implemented not by humans but by the machinery. The authors assert that an R&D agenda is required in counter-investment to understand, implement, and apply countermeasures and mitigations designed to meet what is

> **Human** Conspiracy Hacking **Machine** Vulnerability Operations Research

As integrated circuit (IC) fabrication work is increasingly outsourced due to much lower costs, hardware manufacturers face significant security risks for ICs used in critical information systems and networks. Local, high-end, trusted facilities are economically unviable given the global economy. Further research work is required to address the uncertainty in provenance and hardware integrity. Example areas include digital IC

**Human Machine** 

in all respects until triggered to behave with intent to create malicious effects).

**5.3 Vulnerability detection** 

human insiders to exhibit anomalous behaviors.

Table 3. Malicious Vulnerability Examples

functionally an insider threat realized in and executed by machine.

fingerprinting and IC authentication tools and techniques.

Organizations are addressing new threats and opportunities presented by the question: "where does this stuff come from?" Due to the magnitude of the global sourcing issue and the multi-layered nature of the global supply chain, there are more variance and unpredictable factors in the environment to control. Therefore, a high level of supply chain visibility can be incorporated into the risk management processes to reduce product and performance related errors, and enhance the quality and responsiveness to risk incident occurrence (Tse & Tan, 2011). Due to the longer supply chains, it is critical to enhance the supply chain risk visibility by examining sub-tier suppliers and adjusting the supplier assessment process with the insights gained in a cyclic manner.

Issues of provenance can be applied to both physical artifacts and to information. Provenance can be identified in in two distinct ways: the source (or derivation) of an object and the record of the derivation (Moreau et al., 2008). Much of the provenance work has been applied to artifacts, especially in archives, art, and archaeology. Provenance has recently become essential for digital documents in financial, commercial, medical, scientific, and legal contexts. Such information often originates in a remote location, gets processed by multiple parties, and resides in potentially untrustworthy storage (Hasan et al., 2009). In order to trust the information in a document, its provenance must be known because it is increasingly important to know where the information comes from and how it has been processed and handled.

More provenance research work is needed in the area of information and knowledge management, specifically electronic data. Electronic data does not usually contain historical information that would help end users, reviewers, or regulators. Process documentation is to electronic data as record of ownership is to a work of art (Moreau et al., 2008). A user's confidence in an application's electronic data can be increased by including the provenance that describes the process that led to the data's production. Digital data provenance tracking is useful for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through information systems and networks. While significant research is being conducted in this area, the associated security and privacy issues have not been explored, leaving provenance information vulnerable to illicit alteration as it passes through untrusted environments (Hasan et al., 2009). Therefore, provenance of electronic data does not completely address or assure integrity.

#### **5.5 Security & privacy**

Security and privacy have different requirements but share a point of intersection; security can be achieved without privacy, and privacy cannot be preserved without security. Security is provided by a "system" that handles information. Privacy begins with an accountable action taken by a user of information machinery. If the "system" consists of a user (human) and the machinery, then the information system can be designed to holistically intersect to provide security and privacy by employing machine handling of information to achieve both security and privacy protections. However, privacy begins with the human who enters information into the machine and authorizes its use and transmission by the machine component of the "system" or "network." No amount of machine security

Challenges in Building Trusted Information Systems 99

1. The IA category of availability has a minimal relationship with privacy. Availability deals with system design to ensure high accessibility and redundancy of resources and

2. While IA can address a majority of the privacy control families, IA does not address public disclosure, notice, consent, minimum necessary, individual rights, and authorization. Authorization in the privacy context refers to an individual's ability to authorize all new and secondary uses of PII not previously identified on the original collection notice. These privacy control families must therefore be addressed through

3. The remaining privacy control families not addressed by the traditional IA categories are addressed by the expanded IA categories, which include assured information

In summary, IA does not address every threat to protecting privacy and personal data. While IA relates to securing and protecting an information system, information privacy relates to an individual's right to determine how, when, and to what extent personal

With respect to privacy, there are two types of insider threats to consider: (1) insiders who have the correct permissions and authorizations for data access may deliberately misuse information and/or provide information to unauthorized parties and (2) insiders who may inadvertently misuse information due to ignorance or carelessness that may result in improper disclosure (Waterman, 2006). The second kind of insider threat as described poses the greatest danger to the appropriate protection of privacy data. While IA can provide measures to ensure proper authorization and access control, IA cannot tackle the use of information for purposes other than the one or ones for which it was originally collected. One way to consider addressing the insider threat issue is through policies and procedures that provide education and training on the appropriate use of information and through

Some data mining tools make automatic associations in such a way that even naïve users could deduce private information from the unclassified or public pieces of data by basically exploiting the associations made available by these tools. Thus, there is a need for the development of privacy-preserving techniques for PII data management (Ferrari & Thuraisingham, 2006). Data anonymization, masking, and filtering are methods being used to protect the rights of individuals and minimial disclosure. However, even these techniques

Privacy policies are being used by organizations to tackle the issue of PII. However, few privacy policies actually assert that your PII will remain secret or private and under your control (Poore, 1999). In reality, a privacy policy is simply an information policy that tells

The results of Table 4 draw out the following main findings:

another mechanism, such as business rules and processes.

information will be released to another person or organization.

enforcement of these policies and procedures.

sharing, assured mission management, and system/network defense.

capabilities.

**5.5.1 Insider threat** 

**5.5.2 Data mining tools** 

can be subverted.

**5.5.3 Appropriate privacy policies** 

can guarantee privacy as privacy begins with the original provider of information into the machinery of the "system."

Security is about protection, whereas privacy is about permission and use of personally identifiable information (PII). Information technology systems can be built to the highest security standards without any regard to privacy. However, once PII is collected, security measures are necessary to preserve privacy (Federal Enterprise Architecture Program Management Office, 2006). A security policy may address information classification, protection, and periodic review to ensure compliance. However, privacy policies are needed to determine how security is implemented for the purposes of protecting PII within information systems. Elements of a privacy policy include information regarding the processes of information collection, analysis, maintenance, access, dissemination, and deletion.

Information security is defined as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (44 U.S.C. § 3542(b)(1)). As security is crucial for ensuring privacy, an initial look at how IA measures can deal with privacy concerns is provided. Table 4 provides a mapping of the IA categories that can address the 17 privacy control families defined in *The Federal Enterprise Architecture Security and Privacy Profile* (June 2006). Each 'X' represents an affirmative answer to the following question: Can the standards and technologies of the IA category address and/or support the policies and procedures of the privacy control family? As Table 4 is a high-level view, each entry can be further examined in regards to specific standards, technologies, policies, and procedures.


Table 4. Mapping of IA Categories That Can Address Privacy Control Families

The results of Table 4 draw out the following main findings:


In summary, IA does not address every threat to protecting privacy and personal data. While IA relates to securing and protecting an information system, information privacy relates to an individual's right to determine how, when, and to what extent personal information will be released to another person or organization.

#### **5.5.1 Insider threat**

98 Security Enhanced Applications for Information Systems

can guarantee privacy as privacy begins with the original provider of information into the

Security is about protection, whereas privacy is about permission and use of personally identifiable information (PII). Information technology systems can be built to the highest security standards without any regard to privacy. However, once PII is collected, security measures are necessary to preserve privacy (Federal Enterprise Architecture Program Management Office, 2006). A security policy may address information classification, protection, and periodic review to ensure compliance. However, privacy policies are needed to determine how security is implemented for the purposes of protecting PII within information systems. Elements of a privacy policy include information regarding the processes of information collection, analysis, maintenance, access, dissemination, and

Information security is defined as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (44 U.S.C. § 3542(b)(1)). As security is crucial for ensuring privacy, an initial look at how IA measures can deal with privacy concerns is provided. Table 4 provides a mapping of the IA categories that can address the 17 privacy control families defined in *The Federal Enterprise Architecture Security and Privacy Profile* (June 2006). Each 'X' represents an affirmative answer to the following question: Can the standards and technologies of the IA category address and/or support the policies and procedures of the privacy control family? As Table 4 is a high-level view, each entry can be further examined in regards to specific standards, technologies,

Policies and Procedures X X

Accountability X X

Programs X X

Accuracy of Data X

Security Measures X X X

Table 4. Mapping of IA Categories That Can Address Privacy Control Families

Acceptable Use X

Chain of Trust X

Privacy as Part of the Development Life Cycle X X X

**Privacy Control Family Confidentiality Integrity Availability**

**Information Assurance Categories** 

machinery of the "system."

policies, and procedures.

Monitoring and Measuring

Public Disclosure

Minimum Necessary

Individual Rights Authorization

Risk Management Reporting and Response

Notice Consent

Assigned Roles, Responsibilities, and

Education: Awareness and Role-based Training

deletion.

With respect to privacy, there are two types of insider threats to consider: (1) insiders who have the correct permissions and authorizations for data access may deliberately misuse information and/or provide information to unauthorized parties and (2) insiders who may inadvertently misuse information due to ignorance or carelessness that may result in improper disclosure (Waterman, 2006). The second kind of insider threat as described poses the greatest danger to the appropriate protection of privacy data. While IA can provide measures to ensure proper authorization and access control, IA cannot tackle the use of information for purposes other than the one or ones for which it was originally collected. One way to consider addressing the insider threat issue is through policies and procedures that provide education and training on the appropriate use of information and through enforcement of these policies and procedures.

#### **5.5.2 Data mining tools**

Some data mining tools make automatic associations in such a way that even naïve users could deduce private information from the unclassified or public pieces of data by basically exploiting the associations made available by these tools. Thus, there is a need for the development of privacy-preserving techniques for PII data management (Ferrari & Thuraisingham, 2006). Data anonymization, masking, and filtering are methods being used to protect the rights of individuals and minimial disclosure. However, even these techniques can be subverted.

#### **5.5.3 Appropriate privacy policies**

Privacy policies are being used by organizations to tackle the issue of PII. However, few privacy policies actually assert that your PII will remain secret or private and under your control (Poore, 1999). In reality, a privacy policy is simply an information policy that tells

Challenges in Building Trusted Information Systems 101

Privacy must be considered an integral part of the development and use of an information system. Privacy policies and procedures must be developed as part of the business process so that appropriate IA measures can be implemented to support them. Recall that security can be developed without privacy but privacy cannot be provided without security. However, security measures cannot address all privacy issues; hence privacy must be considered from the beginning. Privacy management should not be an afterthought,

The following recommendations are provided to help move forward in providing both

1. Promote a more coordinated approach to security and privacy consistent with business

2. Conduct a Privacy Impact Assessment (PIA) to determine the effects of information services and sharing initiatives on individual privacy. Elements of PIAs should include

What opportunities individuals will have to provide information or to consent to

3. Develop a plan for evaluation and continued monitoring of the implementation of the

A significant gap in R&D is the interface between human and machine components of a system. Security is about the machine component. Privacy is about the human component

In summary, an information system should have a privacy policy that publicly articulates that it will adhere to legal requirements and processes that enable gathering and sharing of information to occur in a manner that protects personal privacy interests. A well-developed and implemented privacy policy should also be transparent in order to protect the enterprise, the individual, and the public; and promotes trust. A well-developed privacy policy also ensures that appropriate IA measures can be taken to meet both security and

Traditional research work in supply chain risk management involves activities and processes for planning, coordination, operation, control, and optimization of the supply chain. These efforts do not examine supply chain risks associated with the compromise or loss of product/service confidentiality or integrity. Supply chain exploits are the opportunities where adversaries can gain access, obtain knowledge, insert malicious code,

Whether a system of records is being created under the privacy policy.

reactive, or piecemeal.

the following:

privacy policy.

privacy needs.

security and privacy for information systems:

 The information that is being collected, Why the information is being collected, Intended use of the information,

particular uses of the information, How information will be secured, and

and its interaction with the machine component.

**5.6 Supplier-Supply Chain Risk Management (S-SCRM)** 

or corrupt devices bound for information systems.

With whom the information will be shared,

objectives and the goals of efficiency and interoperability.

you what information is collected and how it is used. It does not necessarily mean that your privacy is protected and may actually specify that privacy is not provided. The inability for individuals to agree in terms of what they believe is an appropriate privacy policy or practice is a major challenge to achieving consistent protection for groups of individuals. Privacy is not absolute. There are many trade-offs in the benefits versus the risks.
