**2. Information security**

The analysis of the actual state of art engages the general definition of security: (Abbo, Sun, Feb 2009 pp 195 – 200) "Security is a function of the interaction of its components: Asset (A), Protector (P) and Threat (T) in a given Situation. These can be represented in the equation:

S = f(A;P,T) Si.

This logical formula is the inspiring baseline for the whole research from Manunta (2000, p. 20) who states that security is the contrived condition of an Asset. It is created and maintained by a Protector in antagonism with a reacting counterpart (Threat), in a given Situation It aims to protect Asset from unacceptable damage.

For the three actors we can give the following definitions:

Asset: Any person, facility, material, information or activity that has a positive value to an owner - (Tipton F. H. – Henry K. 2007 - p. 789 -)

Protector: A person, an organization or a thing that makes sure that something or somebody is not harmed, injured, damaged etc; (OXFORD Dictionary)

Threat Any circumstance or event with potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. Threat is the broadest category in a classification, becoming more specific as it moves through vulnerability, exploit, and attack - (Slade R. 2006 -)

The mere presence of interaction among all three actors (A, P, T) only means that a security context is present as some ongoing processes amongst actors. Further analysis shows that Figure 1 represents a security problem, which has still to be solved.

This definition is the preamble for further related research defined "**theory of sets for security situations** with the application of Venn diagrams.

Venn diagrams or set diagrams are diagrams that show all possible logical relations between a finite collection of sets (aggregation of things) They are used to teach elementary set theory, as well as illustrate simple set relationships in probability, logic, statistics, linguistics and computer science.

The importance of an asset to an organization does not simply depend on the monetary cost of the asset, but rather is based on the value of the asset to the organization (Rogers B.B., p. 75) . Before a consequence of loss of an asset can be reasonably evaluated, the organization itself must be thoroughly understood, which is the purpose of an infrastructure characterization. The infrastructure characterization seeks to gain an appreciation of this organizational environmental and to establish designs constraints under which the security system must operate. An infrastructure characterization consists of defining the critical missions and goals of the organisation, the infrastructure that is necessary to accomplish the mission, the legal, regulatory, safety and corporate framework, and the vulnerabilities that the organisation faces.

individuated by considering the risk analysis with the existing methods and correlating it

**The fourth research problem** consists in the evaluation of return of investment (ROI) for

The analysis of the actual state of art engages the general definition of security: (Abbo, Sun, Feb 2009 pp 195 – 200) "Security is a function of the interaction of its components: Asset (A), Protector (P) and Threat (T) in a given Situation. These can be represented in the equation:

S = f(A;P,T) Si. This logical formula is the inspiring baseline for the whole research from Manunta (2000, p. 20) who states that security is the contrived condition of an Asset. It is created and maintained by a Protector in antagonism with a reacting counterpart (Threat), in a given

Asset: Any person, facility, material, information or activity that has a positive value to an

Protector: A person, an organization or a thing that makes sure that something or somebody

Threat Any circumstance or event with potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. Threat is the broadest category in a classification, becoming more specific as it moves through vulnerability,

The mere presence of interaction among all three actors (A, P, T) only means that a security context is present as some ongoing processes amongst actors. Further analysis shows that

This definition is the preamble for further related research defined "**theory of sets for** 

Venn diagrams or set diagrams are diagrams that show all possible logical relations between a finite collection of sets (aggregation of things) They are used to teach elementary set theory, as well as illustrate simple set relationships in probability, logic, statistics, linguistics

The importance of an asset to an organization does not simply depend on the monetary cost of the asset, but rather is based on the value of the asset to the organization (Rogers B.B., p. 75) . Before a consequence of loss of an asset can be reasonably evaluated, the organization itself must be thoroughly understood, which is the purpose of an infrastructure characterization. The infrastructure characterization seeks to gain an appreciation of this organizational environmental and to establish designs constraints under which the security system must operate. An infrastructure characterization consists of defining the critical missions and goals of the organisation, the infrastructure that is necessary to accomplish the mission, the legal, regulatory, safety and corporate framework, and the vulnerabilities that

directly to the purpose of the information end user.

Situation It aims to protect Asset from unacceptable damage. For the three actors we can give the following definitions:

is not harmed, injured, damaged etc; (OXFORD Dictionary)

Figure 1 represents a security problem, which has still to be solved.

**security situations** with the application of Venn diagrams.

owner - (Tipton F. H. – Henry K. 2007 - p. 789 -)

exploit, and attack - (Slade R. 2006 -)

and computer science.

the organisation faces.

information security implementation.

**2. Information security** 

Fig. 1. Definition of Security with the application of set diagrams.

The Assets of information security issues usually include three to five elements. Examples of major security categories include confidentiality, privacy, integrity, authentication, authorization, and non repudiation. The E-Government Act of 2002, section 3542 (B), defines integrity, confidentiality, and availability attributes or security (Barker C. W. p.308):

**Availability**: The property of ensuring timely and reliable access to and use of information . Availability is the principle that information is accessible when needed. The two primary area affecting the availability of system are denial of service due to the lack of adequate security controls and loss of service due to disaster, such an earthquake, tornado, blackout, hurricane, fire, flood and so forth. In either case, the end user does not have access to information needed to perform his or her job duties. The criticality of the system to the user and its importance to the survival of the organization will determine how significant the impact of the extended downtime becomes.

**Integrity**: Guarding against improper information modification or destruction, which includes ensuring information non repudiation and authenticity.

Integrity is the principle that information should be protected from intentional, unauthorized, or accidental changes. Information stored within the files, databases, systems, and networks must be able to be relied upon to accurately process transactions and provide accurate information for business decision making. Controls are put in place to ensure that information is modified through accepted practices. Management controls such as the segregation of duties, specification of the systems development life cycle with approval checkpoints, and implementation of testing practises assist in providing information integrity. Well-formed transactions and security of updated programs provide consistent methods of applying changes to systems. Limiting update access to those individuals with a need to access limits the exposure to intentional and unintentional modification.

Information Security Management Accounting 119

If we extend the relationship among the three dimensions represented by each axes shown in figure, we end up with a 3x3x3 cube with 27 cells. Each cell represents an area of intersection

When using this model to design or review any information security program, we must make sure that each of the 27 cells is properly addressed by each of the three communities of interest. For example, the cell representing the intersection between the technology, integrity, and storage areas is expected to include controls or safeguards addressing the use

While this model covers the three dimensions of information security, it omits any discussion of detailed guidelines and policies that direct the implementation of controls. However this system is very good if reused for the calculation of percentage of the single resource employed

However, in a given Situation, the ICT security is regarded as layered systems. A layered security needs to be incorporated for any assessment and evaluation process by ensuring the multiple facets of a customer's information security profile are addressed. There have been hundreds of interpretations of layered security but everyone agrees on some core areas to be addressed: network perimeter protection, internal network protection, intrusion monitoring and prevention, host and server configuration, malicious code protection, incident response capabilities, security policies and procedures, employee awareness and training, physical security and monitoring. *These areas are key points of failure within the information security* 

The issue is something born with the humankind's security perception, since the primordial communities, fully shown by physical layers of defensive concentricity in most

Any pertinent situation is seen by the information professional as a set of 10 organizational

a. **Information Security and Risk Management**: Addresses the framework and policies, concepts, principles, structures, and standard used to establish criteria for the protection of information assets, to inculcate holistically the criteria and to assess the effectiveness of that protection. It includes issues of governance, organizational behaviour, ethics, and awareness. This domain also addresses risk assessment and risk

b. **Access control**. The collection of mechanisms and procedures that permits managers of a system to exercise a directing or restraining influence over the behaviour, use and

c. **Cryptography.** Addresses the principles, means, and methods of disguising information to ensure integrity, confidentiality, and authenticity in transit and in

d. **Physical (environmental) Security**. Addresses the common physical and procedural risks that may exists in the environment in which an information system is managed. e. **Security architecture and design**. Addresses the high level and detailed processes, concepts, principles, structures, and standards to define, design, implement, monitor, and secure/assure operating systems, applications, equipment, and networks. It

among these three dimensions that must be addressed to secure information system.

of technology, to protect the integrity, of information while in storage.

in the information security in order to define the amount of the investment.

*architecture at many organizations"* (Rogers R., pp 5-6).

domains as follows (Tipton F. H. – Henry K pp. xvi-xvii):

archaeological evidences.

management.

storage.

content of a systems.

**Confidentiality**: Preservation of authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Confidentiality is the principle that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming one's identity through knowledge of confidential information obtained from various sources. Information must be classified to determine the level of confidentiality required, or who should have access to the information (public, internal use only, or confidential). Identification, authentication, and authorization through access controls are practises that support maintaining the confidentiality of information. Encryption information also supports confidentiality by limiting the usability of the information in the event it is viewed while still encrypted. Unauthorized users should be prevented access to the information, and monitoring controls should be implemented to detect and respond per organizational policies to unauthorized attempts. Authorized users of information also represent a risk, as they may have ill intentions by accessing the information for personal knowledge, personal monetary gain, or to support improper disclosures.

The three attributes or the three pillars are also known as C.I.A triangle and are considered as classes of dimensions considering the Committee on National Security System (CNSS) model (Whitman p.5).

This security model, also known as the Mc Cumber Cube after its developer, John Mc Cumber, is rapidly becoming the standard for many aspects of the security information Systems (see Figure 2).

Fig. 2. The Mc Cumber cube is a model recognized by the Committee on National Security System (CNSS).

**Confidentiality**: Preservation of authorized restrictions on access and disclosure, including

Confidentiality is the principle that only authorized individuals, processes, or systems should have access to information on a need-to-know basis. In recent years, much press has been dedicated to the privacy of information and the need to protect it from individuals, who may be able to commit crimes by viewing the information. Identity theft is the act of assuming one's identity through knowledge of confidential information obtained from various sources. Information must be classified to determine the level of confidentiality required, or who should have access to the information (public, internal use only, or confidential). Identification, authentication, and authorization through access controls are practises that support maintaining the confidentiality of information. Encryption information also supports confidentiality by limiting the usability of the information in the event it is viewed while still encrypted. Unauthorized users should be prevented access to the information, and monitoring controls should be implemented to detect and respond per organizational policies to unauthorized attempts. Authorized users of information also represent a risk, as they may have ill intentions by accessing the information for personal

The three attributes or the three pillars are also known as C.I.A triangle and are considered as classes of dimensions considering the Committee on National Security System (CNSS)

This security model, also known as the Mc Cumber Cube after its developer, John Mc Cumber, is rapidly becoming the standard for many aspects of the security information

**THE Mc CUMBER CUBE**

**STORAGE PROCESSING TRASMISSION**

Fig. 2. The Mc Cumber cube is a model recognized by the Committee on National Security

means for protecting personal privacy and proprietary information.

knowledge, personal monetary gain, or to support improper disclosures.

model (Whitman p.5).

Systems (see Figure 2).

**POLICY**

**EDUCATION TECHNOLOGY**

**INTEGRITY**

**AVAILABILITY**

System (CNSS).

**CONFIDENTIALITY**

If we extend the relationship among the three dimensions represented by each axes shown in figure, we end up with a 3x3x3 cube with 27 cells. Each cell represents an area of intersection among these three dimensions that must be addressed to secure information system.

When using this model to design or review any information security program, we must make sure that each of the 27 cells is properly addressed by each of the three communities of interest. For example, the cell representing the intersection between the technology, integrity, and storage areas is expected to include controls or safeguards addressing the use of technology, to protect the integrity, of information while in storage.

While this model covers the three dimensions of information security, it omits any discussion of detailed guidelines and policies that direct the implementation of controls. However this system is very good if reused for the calculation of percentage of the single resource employed in the information security in order to define the amount of the investment.

However, in a given Situation, the ICT security is regarded as layered systems. A layered security needs to be incorporated for any assessment and evaluation process by ensuring the multiple facets of a customer's information security profile are addressed. There have been hundreds of interpretations of layered security but everyone agrees on some core areas to be addressed: network perimeter protection, internal network protection, intrusion monitoring and prevention, host and server configuration, malicious code protection, incident response capabilities, security policies and procedures, employee awareness and training, physical security and monitoring. *These areas are key points of failure within the information security architecture at many organizations"* (Rogers R., pp 5-6).

The issue is something born with the humankind's security perception, since the primordial communities, fully shown by physical layers of defensive concentricity in most archaeological evidences.

Any pertinent situation is seen by the information professional as a set of 10 organizational domains as follows (Tipton F. H. – Henry K pp. xvi-xvii):


Information Security Management Accounting 121

It is the information content that flows over the infrastructure whether in the form of databases, the written word, a film, a piece of music, a sound recording, a picture or

One of the sensitive issue regarding the information infrastructure security is its measurability that means "security metrics". Security metrics are not well developed

While these measures may be useful for managing specific technologies such as patch

The risk is a word that admirably serves the forensic needs of new global culture and its calculation is deeply entrenched in science and manufacturing and as a theoretical base for

Generally speaking Risks are generally classified as "speculative" (the difference between loss or gain, for example, the risk in gambling) and "pure risk", a loss or no loss situation, to

According to common understanding relating to the information infrastructure the risk focused assets are usually identified as the availability, confidentiality and/or privacy, integrity, authentication and no-repudiation. The risk analysis is tailored on the traditional definition of risk, according to the ISO/IEC (2002, p 2), that states "*combination of the probability of an event and its consequences, but the term risk is generally used only when there is at* 

This is defined Probabilistic Risk Assessment -PRA- (Brotby W. C p.205- ). The PRA has emerged as increasingly popular analysis tool especially during last decade. PRA is a systematic and comprehensive methodology to evaluate risks associated with every lifecycle aspect of a complex engineered technological entity from concept definition, through

Risk is defined as a feasible detrimental outcome of an activity or action subject to hazards. In PRA risk is characterized: the magnitude (or severity) of the adverse consequence(s) that can potentially result from the given activity or action, and the likelihood of occurrence of the given adverse consequence(s). If the measure of consequence severity is the number of people that can be potentially injured or killed, risk assessment becomes a powerful

If the severity of the consequence(s) and their likelihood of occurrence are both expresses qualitatively (e.g. through words like high, medium, or low) the risk assessment is called qualitative risk assessment. In a quantitative risk assessment or a probabilistic risk assessment, consequences are expressed numerically (e.g. the number of people potentially hurt or killed) and their likelihoods of occurrence are expressed as probabilities or frequencies (i.e. the number of occurrences or the probability of occurrence per unit time).

PO = PA (1 – PE )

design, construction, and operation, and up to removal from service.

In security applications, the probability of occurrence (PO) is given by:

outside of a narrow range of IT –centric measures. (Brotby W. C - 2009 – pp. 13,14)

management or server hardening, they are of little use in managing overall security.

computer software.(Hyperdictionary).

**3. The risk perception** 

decision making (Douglas pp 22-23).

which insurance generally applies (Broder p.630).

*least the possibility of negative consequences.*"

analytical too assess safety performances.

addresses the technical security policies of the organisation, as well as the implementation and enforcement of those policies.


For the actual state has defined 13 domains as exhaustive of cloud computing pertinent situation (CSA Guidance 2009):

Domain 1: Cloud Computing Architectural Framework Domain 2: Governance and Enterprise Risk Management Domain 3: Legal and Electronic Discovery Domain 4: Compliance and Audit Domain 5: Information Lifecycle Management Domain 6: Portability and Interoperability Domain 7: Traditional Security, Business Continuity and Disaster Recovery Domain 8: Data Centre Operations Domain 9: Incident Response, Notification, and Remediation Domain 10: Application Security Domain 11: Encryption and Key Management Domain 12: Identity and Access Management

Domain 13: Virtualization

The key issues are that the Situation of previous Manunta's formula [S = f(A;P,T) Si] can be viewed, in the information security environment, as a set of well defined interdependent domains each one with its organizational and operational autonomy and protection.

In addition each domain concurs with its own security share to the general protection and any security breach to a single domain reflects consequences to the breached domain and/or to other domains and/or to the general business. Furthermore a more appropriate keyword is in " security of information infrastructure" than "information security" with the following definition:

**Information infrastructure**. It is the satellite, terrestrial, and wireless communication system that deliver contents to homes, businesses and other public and private institutions.

It is the information content that flows over the infrastructure whether in the form of databases, the written word, a film, a piece of music, a sound recording, a picture or computer software.(Hyperdictionary).

One of the sensitive issue regarding the information infrastructure security is its measurability that means "security metrics". Security metrics are not well developed outside of a narrow range of IT –centric measures. (Brotby W. C - 2009 – pp. 13,14)

While these measures may be useful for managing specific technologies such as patch management or server hardening, they are of little use in managing overall security.
