DATA SECURITY AND OPTIMIZATION OF INFORMATION SYSTEMS
Raja Sekhar Pedada, [email protected]
BIS 625 Research in Information Systems
College of Business Administration, Department of Business Information Systems
Central Michigan University
Mount Pleasant, Michigan 48858
Data survivability; Data security; Protection; Redundancy; Attack; Optimization; Information security management; Security investment decisions; Simulation; System dynamics
Safe and secure information storage is essential for all facets of successful business and government operations. Safe storage, availability, and confidentiality are conflicting concerns which have to be weighed against each other. Accounting is an example of a discipline where information is represented in certain formats and on chosen media, for subsequent release according to regulations (Gordon, Loeb, & Lucyshyn, 2003). Consider a defender protecting some information. The defender can store this information in one secure location, which we refer to as storage on one specific resource. If an attacker appropriates and/or destroys it, the defender suffers theft and/or information destruction. To prevent theft, the defender can separate the information into multiple blocks and store these blocks on multiple resources. Since the information can be used only in its integrity, the thief must get access to all of the separated blocks to possess the information. On the other hand, separating the information increases its vulnerability as the destruction of any block makes it unusable. To prevent destruction the defender can create multiple copies of each block and store these blocks on multiple resources. Creating multiple copies increases the possibility of theft. This illustrates that preventing theft and destruction are different objectives for the defender. One objective of this research study is to analyze how the defender handles such different objectives (Levitin, Hausken, Taboada, & Coit, 2012).
Leaking of confidential material is a major threat to information security within organizations and to society as a whole. This insight has gained traction in the political realm since the activities of WikiLeaks, which hopes to attack ‘unjust’ systems or ‘conspiracies’. Eventually, such threats to information security rely on a biologistic argument on the benefits and drawbacks that uncontrolled leaking might pose for ‘just’ and ‘unjust’ entities. Such biological metaphors are almost exclusively based on the economic advantage of participants (Hamacher, 2012). Information security has never been a high priority for many of the managers. Most of them permit their installations to be either light protected or unprotected, apparently willing to risk major losses from computer abuse. This study, based on the criminological theory of general deterrence, investigates whether a management decision to invest in IS security results in more effective control of computer abuse. Data gathered through a survey of 1,211 randomly selected organizations indicates that security countermeasures that include deterrent administrative procedures and preventive security software will result in significantly lower computer abuse. Knowledge about these relationships is useful for making key decisions about the security function (Straub, 1990).
Data Security of Information System is a series of management activities with the aim of protecting and securing information assets within the framework of the organization in which information system is running. Evaluation of information assets from one organization to another may be different, considering the geographic and business areas. Thus, organizations that are located in developed countries and has a good organizational development may pay more attention to protecting their information assets than to their counterparts in developing countries. It is a set of managerial activities that aims to protect information assets and secure framework within the organization in which information systems are working. Therefore, one of its main goals is minimizing the risks that an information asset encounters("Information security management (3): the Code of Practice for Information Security Management (BS 7799)," 1998).
Scaling from enterprise range, mid-market level, small or online based successful companies of today are having a firm presence in online. As per reality, by conducting business online, research says companies can suffer from data security breach. Fortunately there governs some predefined global rules about securing information systems online. The most important mistakes companies do make with the data security are as follows:
1. Miss-calculation about the view of data security as just an Information Technology problem rather than Business Problem
2. Under estimation of understanding the significance of inside threats.
3. Failure in using the ongoing intelligence strategy to sharpen the strategy of data security and optimization.
4. Failure in handling the persistently patch vulnerabilities.
5. Relaying on the third party software technologies, such as firewalls, to prevent security breach rather than building one.
6. Failures in adapting to a responsive plan prior to security breaches.
7. In adequate training to employees on cyber security practices on how manage passwords and avoid activities like phishing and key logger scams.
8. Eighty percent of security breaches and threats are preventable. Comparatively the cost incurred on implementing the technologies and process are less significant than costs of breach.
9. Failure to use custom filters for immediate disabling of access to sites from attacking IP range of addresses. These filters also helps to prevent SQL injection and other cyber attacking’s.
Data Security and Optimization of Information Systems:
In recent years, the interest in quantitative models for information security investment decisions has increased significantly. This trend is driven by the fact that information security is becoming more important each day and, at the same time, the complexity of IT systems continuously increases. Questions like, “How much security is necessary?”, “How much should be spent?”, and “How can security be improved?” are becoming more relevant these days. There are several research streams which basically try to solve the security investment problem from different angles. This problem can be broken down into two distinct sub problems where each sub problem is focused on one key issue: (1) what is the optimal amount to invest in security; and (2) what security safeguards should be selected to invest in?
The first question is probably the most-discussed one and there exists a considerable amount of related literature. It is often addressed by traditional risk analysis methods to determine loss expectancies and a return on investment(Sonnenreich, Albanese, & Stout, 2006). As a reason, risk analysis approaches usually treat prevented losses as a profit: profit = loss reduction × probability of incident. The second question which safeguards should be selected for implementation within a budget that was determined previously? Most approaches to address this question apply management tools and financial analysis based on measures like annual loss expectancy, return on investment, internal rate of return, net present value, etc.(Bojanc & Jerman-Blažič, 2012; Sonnenreich et al., 2006; Tsiakis, 2010).No existing model support the establishment of an effective IT security strategy which incorporates large amount of data of an existing knowledge base and is still practically applicable in terms of information requirements and computational time(Schilling & Werners, 2016).
Let us consider a defender which seeks to store information securely. An attacker may steal or destroy the information which are two conflicting concerns. To prevent theft the defender can separate the information into multiple blocks stored on multiple resources. To prevent destruction the defender can create multiple copies of each block stored on multiple resources. We show that to prevent information destruction, the defender prefers to maximize the number of parallel copies of each block, regardless how many blocks in series there are. To prevent information theft, the defender prefers to maximize the number of separated blocks, regardless how many copies in series there are.
Fig. 1. Block diagram corresponding to information destruction.
Fig. 2. Block diagram corresponding to information theft.
Two multiple objective optimization models are developed. These minimize the probabilities of information destruction and data theft, and minimize cost. There are K resources of unlimited supply allowing placement of all copies of all blocks on any resource. Using a multiple objective evolutionary algorithm, we determine how to distribute an optimal number of block(Levitin et al., 2012) .
Research Questions and Objectives:
1. What is the current status in the development features of Information Systems Security?
2. How Data Security influences today’s Information Security globally?
3. How Information Systems overcomes the security threats and optimization issues?
1. The main objective of my research is to provide a relationship connection between Information Systems and Data Security with optimization.
2. To identify the scope of Secured optimization in Information Systems.
Research design: The research methodology includes literature review, Analysis of Information Systems security tools, Case studies, conducting surveys/ interviews. Documenting the literature review methodology is one of the very important task in any review (Jan vom & Theresa, 2011). In the preliminary step we study the comparison level between the process involved in the information system with and without the role of Data security optimization. A case study is done, by comparing an existing system and new on-going website design or online business. Questionnaires and face to face interviews are needed. An analysis is made based on the secondary data and interviews.
Participants: As the research involves in a data security and optimization. The security measures used in Central Michigan University can be used as a case study in my paper to understand the optimization importance in information systems. Hence it will be easier to get concerned information by meeting specific people for conducting surveys and questionnaires for my research.
Techniques: The technique involved in this process is all how can we make our data security system more robust and optimized from the entry level to end user point. Based on it, an analysis can be made how information system is prevented from the outside attacks between the past and future.
The research I proposed is completely based on the Data Security and optimization of information in the university and the existing information system, where I am pursuing my masters, there will not be any financial drawbacks. The only thing required is getting permissions and having access to all the documents i.e. Security measures and optimization levels following in information Systems of university - which is a common database information, involved in the project.
Bojanc, R., & Jerman-Blažič, B. (2012). Quantitative Model for Economic Analyses of information Security investment in an Enterprise information System. Organizacija, 45(6), 276-288.
Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22(6), 461-485. doi:http://dx.doi.org/10.1016/j.jaccpubpol.2003.09.001
Hamacher, K. (2012). Resilience to Leaking — Dynamic Systems Modeling of Information Security. PLoS ONE, 7(12), e49804. doi:10.1371/journal.pone.0049804
Information security management (3): the Code of Practice for Information Security Management (BS 7799). (1998). Information Management & Computer Security, 6(5), 224-225. doi:doi:10.1108/09685229810240158
Jan vom, B., & Theresa, S. (2011). Culture in business process management: a literature review. Business Process Management Journal, 17(2), 357-378. doi:10.1108/14637151111122383
Levitin, G., Hausken, K., Taboada, H. A., & Coit, D. W. (2012). Data survivability vs. security in information systems. Reliability Engineering & System Safety, 100, 19-27. doi:http://dx.doi.org/10.1016/j.ress.2011.12.015
Schilling, A., & Werners, B. (2016). Optimal selection of IT security safeguards from an existing knowledge base. European Journal of Operational Research, 248(1), 318-327. doi:http://dx.doi.org/10.1016/j.ejor.2015.06.048
Sonnenreich, W., Albanese, J., & Stout, B. (2006). Return on security investment (ROSI)-a practical quantitative model. Journal of Research and practice in Information Technology, 38(1), 45-56.
Straub, D. W. (1990). Effective IS Security: An Empirical Study. Information Systems Research, 1(3), 255-276. doi:10.1287/isre.1.3.255
Tsiakis, T. (2010). Information security expenditures: a techno-economic analysis. Int. Journal of Computer Science and Network Security, 10(4), 7-11.
...(download the rest of the essay above)