The Importance of Computer Security - Literature review Example

 ABSTRACT Computer security is a primordial concern of all types of organizations. The challenges to preserving and safeguarding computer security are tremendous. Hence, academicians and computer security professionals undertake various studies to address this issue thoroughly and creatively. Both of the studies featured in this essay are similar in the sense that these studies are aimed towards enhancing computer security in organizations. However, the studies differ in the study goals and scope, methodology and analysis. Introduction The importance of computer security has been emphasized by two expert studies. One study was done by a group of academicians. The second study was done by computer security professionals. One is a seminal work carried out by Farzeneh Asghapour, Debin Lin and Jean Camp (2007) in assessing the indirect and implicit use of mental models applied to computer security. Asghapour et. al., (2007) did three experiments which revealed corresponding results. First, the experiments showed that for a set of security risks, the self-identified security experts and non-experts exhibit specific mental models. Second, a brand of expertise increases the distance between the mental models of non-experts and experts. Finally, the utilization of models through metaphors did not correspond to metaphors that are similar the mental models of simple users. The second study on computer security done by Stuart Schechter and Daniel Smith tackled the kind of security required to protect a packaged system which is present in large organizations from thieves who would plot a vulnerability to attack multiple installations. Both studies are similar since they relay the importance of computer security in organizations. The main theme of Asghapour and her co-researchers were to emphasize the importance of effective security risk communication. The researchers argue that this requires both communicating risk information and motivating the appropriate risk behaviors. The crucial argument is that the purpose of risk communication is not transmitting truth to the users, but training them to take an appropriate move to respond against a certain threat to their system. Similarly, Schechter and David present an economic threat modeling as a measure for understanding adversaries who are attracted for financial gain. They did a mathematical model on thieves outside the target organization who would enter through a simple vulnerability in one of the target company’s packaged systems. This model can determine what these thieves are willing to pay for system vulnerabilities and how secure the system should be to withstand any form of theft. The main methodology of Asghapour and her co-researchers were to identify implicit mental models for computer security which makes these explicit and run a test for mental models for fit for risk communication. They also aim to utilize the mental models in a rational manner to address risk communication to non-expert computer users. The researchers pointed out that a mental model is an internal concept of a given process. This concept is case specific and may depend on life experience, description of the risk, type of risk, and information processing strategies. In contrast, the methodology of Stuart Schechter and David Smith in their computer security study was to project economic threat models. The economic threat models they designed were meant to answer these questions: a.) who profits from a computer security attack on a given company; and b.) what is the choice of attack? The threat models enable them to pinpoint the adversary and the respective motivation of those. CONCEPTUAL FRAMEWORK Ashgapour and her co-researchers (2007) determined the scope of mental models which are used in the computer security profession. They chose five conceptual models implicit in language and explicit in metaphors: physical safety, medical infections, criminal behavior, warfare and economic failure. Physical safety refers to ‘keys’, ‘safe computing’ and mechanisms for physical risk mitigation. This concept pertains to individual and localized control. Medical infections refer to patterns of diffusion of ‘computer infections’ such as ‘Worms’. Criminal behavior refers to computer security violations which covers the release of ‘malicious’ code. Warfare denotes the presence of a highly-motivated and implacable enemy, with ‘firewalls’, and ‘offensives’. An economic failure is a form of externality which can be regarded as a market failure. Computer security failures have specific costs such as downtime and maintenance costs. The first question is if these metaphors and models in the security literature correspond with the mental models of experts or non-experts. Second, do the mental models of experts correlate with the mental models of lay users? Third, how sensitive is the correlation between experts’ and non-experts’ mental models to the definition of expertise? Fourth, up to what extent can one explain these differences? The researchers implemented two card sorting experiments. The two experiments differed in the definition of expertise. Schechter and David identified the potential outside thieves who can attack a computer security system of an organization. Outside thieves pertains to individuals or groups of individuals outside your organization who attack your systems for financial gain. Thieves act rationally in so far that they will not implement attacks that are expected to lead to their financial ruin. Thieves profit from exploiting system vulnerabilities by stealing information, such as customer lists and credit card numbershic keys, and then sell that information to the highest bidder. A thief can create back doors in the systems he attacks and then later sell that access for the highest profit. Serial thieves make use of an undetected vulnerability in a packaged system to attack victim after victim. By attacking a small number of victims at a time, the serial thief can check the value and location of what each victim is protecting and then maximize the loot obtained while minimizing risk. METHODOLOGY Ashgapour and her co-researchers conducted two sets of experiments to generate the data. They implemented an on-line card sorting experiment. The participants were given six label and color pairs: physical security = green, medical infection = blue, warfare = red, criminal behavior = orange, economics failure = yellow, and “I can’t decide” = purple. Expertise was asserted by the participants. In the two experiments, there were two distinct definitions of expertise. In Experiment 1 the participants exhibited their expertise based on the questions. An expert is a person who knows the technical definitions of the security related words. A non-expert is one who does not know the definition but has a perspective on risks. In Experiment 2, participants asserted their expertise based on the questions. An expert is a person who has had at least five years experience in security as a practitioner. A non-expert is a person who does not know anything about computer security. For Experiment 1 (E1) the results were grouped as weak expert (WE) and weak nonexperts (WNE). For Experiment 2, the participants were given six label and color pairs: physical security = green, medical infection = blue, warfare = red,criminal behavior = orange, economics failure = yellow, and “I can’t decide” = purple. For instance, the color green means peace for some people and environment for other people. The arbitrary color selection made the participants refer to the instructions. The participants labeled a word by changing its color. All words were in black. Each word was accompanied with six colored buttons. Clicking on each button changed the color of the corresponding word into the color of the selected button. Words could be changed multiple times, until the participant completed the experiment. The experiment used Macromedia Flash and PHP. A closed card sort experiment requires first and foremost a set of words in order to label the cards. The participants were asked to group the given words into these six labels: physical security, medical infections, criminal behavior, economic failure and warfare. For the last category, participants were told to label a word with “I can’t decide” if they could specify a single category. The words related to each mental model were selected using Webster’s Thesaurus. Once the matrices of the experts and non-experts were done, the multidimensional scaling (MDS) method was used to locate the expert’s and non-expert’s similarity matrices in two dimensional space. The multidimensional scaling (MDS) method evaluated the structure in a dataset by measuring the (dis)similarities in the data as distances. The Statistical Package for the Social Sciences (SPSS) was used to convert the similarity matrices into the distance matrices Results from the second experiment (E2) referred to the experts as strong experts (SE) and strong non-experts (SNE). The first experiment showed 22 self-defined experts and 49 non-experts. The second experiment covered 11 self-defined experts and 27 non-expert participants. In both experiments the participants belonged to the 18 to 50 years old bracket. The participants are faculty, staff, graduate and undergraduate students in computer science departments. Schechter and David did a mathematical modeling of the choices of the serial thief using variables to represent properties of the thief’s environment. The researchers set the motivation for each crime as the loot value a thief expects to get if the theft goes undetected. Thus, for every theft, there is a chance that the thief will be caught, convicted, and punished. The researchers defined the probability of being convicted as consisting of these variables: Pc refers to the probability of being caught, convicted, and punished for the theft. F refers to the fine to be paid by the thief if he is convicted later. The organization can also observe how the thief implements the means of attack. Once this weakness of the system has been discovered, an organization can install intrusion prevention systems. Pd refers to the probability that use of the exploit will expose it to the defense and the vulnerability will be patched. Thus Pc= Pd. RESULTS The results of Ashgapour and her co-researchers showed that the concepts of security as embedded in literature are not matched to the mental models of non-experts, and of experts. The results also showed that experts and non-expert users have significantly different mental models. These results showed sensitivity to the definition of expert. This means that the more stringent the definition of the expert, the greater the distance between the mental models of self-defined expert and non-experts, respectively. (Ashgapour, et. al., 2007) Similarly, Schechter and David showed significant results. The researchers found out that the organization must determine its desired level of computer security in order to make the right level of investment in security. The desired security level can be identified by quantitatively pinpointing the point at which the costs to a potential attacker overcome the gains from attack. Schechter and David had focused on strategies for organizations that are targets of the thief. These target organizations benefit from transferring their security risks to insurers. The insurers will require that risks be understood before pricing their policies. Insurers possess the incentive to encourage organizations to pay for better security and to provide the knowledge to help them do so. Insurers benefit when firms share information about attacks, helping to prevent future attacks from succeeding. To foster this sharing of information, insurance companies may want to offer low deductibles and make payment of claims contingent on timely sharing of information. This prevents future and makes the insured systems less attractive targets for attack by serial thieves. In addition, the monitoring firms can detect known attacks, but to discover the first use of new exploits. These firms can fight parallel attacks through the use of network traffic analysis. They can use this data to identify new viruses and worms, to locate the destination of flows of stolen data, and to detect unusual access requests. Monitoring firms can partner with Honeynets. IMMEDIATE PRACTICAL VALUE OF RESULTS Both studies are equally important since both enhance computer security operations of organizations. Ashgapour her co-researchers (2007) state that the communication of security risks to non-expert computer users requires deviating from the mental models of computer security experts. The strong-experts designate passwords as relating to a criminal model, while non-experts regard passwords as belonging to the physical security. This suggests that non-experts regard password loss as similar to the loss of a key. Experts regard passwords loss as a product of malicious activities. The results support the researcher’s argument that the mental models embedded in risk communication be targeted for non-experts rather than based on the models of the communicating experts. Schechter and Smith present an economic threat modeling as a tool for understanding adversaries motivated by financial gain. With this modeling, the firm is in a position to detect known attacks and discover new exploits. These firms are in a position to fight parallel attacks through the use of network traffic analysis. They can maximize this analysis to detect new viruses and worms, to pinpoint the destination of flows of stolen data, and to detect questionable access requests. TYPE OF FUTURE RESEARCH NEEDED Both studies presented potential new areas of further research. Computer security is slowly being given importance in this country. Schechter and David identified as a new area for research the ability to thwart worms early in the chain of infection which can be of immense value to the firm’s clients. Ashgapour stated that a primary goal of effective risk communication is to assist individuals in making informed decisions about the type of risks which are acceptable and which are not. Clarity in risk communication can help persons utilize decision-making. They identified a new area of research as the conduct of qualitative interviews with experts and non-experts to better understand the mental models associated with computer risk. The researcher did a mathematical modeling for staff. The researchers have designs of risk communication that utilize the physical safety and criminal mental models in visual narrative mechanisms. They completed an initial test with 16 persons who gave an expressed desire to better their behaviors as a result of these narrative risk communications. References Asgharpour Farzaneh, Debin Liu and Jean Camp. “Experimental Evaluations of Expert and Non-expert: Computer Users’ Mental Models of Security Risks.” Schechter, Stuart and Michael D. Smith. “How Much Security is Enough to Stop a Thief? The Economics of Outsider Theft via Computer Systems and Networks.” Harvard University Read More