Deploying, Managing, and Securing Social Media Applications

Brian Mennecke

An Important Question
Who in an organization is responsible for security?

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

The primary message

Who in an organization is responsible for security?
Good security in an organization starts at the top, not with firewalls, shielded cables or biometrics. Senior management has a much more significant role to play in achieving security than they may think.

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

E-commerce and virtual organizations

Organizations have an internal value chain and must interact with external entities at either end of this chain. External entities may be other businesses, individual customers, or the government. Interactions must be protected from being compromised by unauthorized parties,
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Security vs. Privacy

What are the differences between privacy and Security?
Privacy deals with the degree of control that an entity, whether a person or organization, has over information about itself. Security deals with vulnerability to unauthorized access to content.

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Root cause!
Why wont Sr. Management engage in Security?
It is difficult to connect security securityrelated expenditures to profitability Increases in security will often increase costs and reduce efficiency

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

What Should Sr. Management Know?

Security is not a technical issue; it is a management issue Total security is a myth.
Not all information is of equal value it is not technically possible to protect all information assets

Stakeholders will be increasingly less tolerant of cyber-related vulnerabilities

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Threats
Where do threats come from?
disgruntled current or former employees Hackers virus writers criminal groups those engaged in corporate espionage Terrorists foreign intelligence services information warfare by foreign militaries and various other actors.

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Barriers to Security
The worldwide diffusion of the Internet opens up new business opportunities (e.g., 3-R Framework) It also increases an organization's vulnerability since so many more individuals of unknown origin and intent now have access to its systems
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Increasing Richness; Good or Bad?

Active web content, such as Java applets, enhances interaction with customers and suppliers. This technical capability allows programs created by external entities to also run on an organization's machines
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Increasing Reach; Good or Bad?

Organizations that have an extensive partnering network find it difficult to define the boundaries of their information systems There is an inherent conflict between security and "open systems" architectures that facilitate EC interactions
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Clue IT In!
Organizations commonly look for technical certification when hiring IT staff, but how often is any effort made to educate new security workers on the organization's strategic focus or to communicate to them the criticality levels of their information assets?
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Three Cornerstones
Senior managers need to remember that security depends on the strength of the three cornerstones
Critical infrastructures Organization Technology

Security also requires an end-to-end view of business processes.

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Critical Infrastructures
Critical Infrastructure Protection Government-Industry Collaboration Management's Role in Critical Infrastructure Protection
To recognize that critical infrastructure protection is an essential component of corporate governance as well as organizational security

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Organization
Structure leads to locus of ownership of data and processes Business Environment: threats are based on
Value of the firm's intellectual property The degree of change the firm is facing Its accessibility Its industry position

Culture SOPs Education, Training, and Awareness

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Technology
Firewalls and Intrusion Detection Password Layering Public Key Infrastructure Secure Servers VPNs

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Ok, So What? Managerial Implications

Asset Identification Risk Assessment The Control Environment
Physical Data Implementation Operations Administrative Application System Controls

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Balancing Risks and Costs

Step 1: Identify information assets at an appropriate level of aggregation Step 2: Identify the financial consequences of these information assets being compromised, damaged, or lost Step 3: Identify the costs of implementing the control mechanisms that are being proposed to enhance organizational security Step 4: Estimate overall risk based on the likelihood of compromise Step 5: Estimate the benefits expected by implementing the proposed security mechanisms Step 6: Compare the expected benefits obtained in Step 5 with the cost estimates obtained in Step 3

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

Management Actions
Corporate boards should ensure that senior managers buy into the process of risk assessment Senior managers also need to ensure that technical and operational staff understand each other's requirements and cooperatively engaged in the process Establish an ongoing process of monitoring risk
These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

These concepts are a summary of Dutta and McCrohan, Management's Role in Information Security in a Cyber Economy, California Management Review, October 2002

The Bottom Line

Managers need to sort through which risks are most likely to materialize and which could cause the most damage to the business, then spend their money where they think it will be most useful When viewed through an operational lens, decisions about digital security are not much different from other cost-benefit decisions general managers must make

Back to the Risks

Facebook's Overblown Privacy Problems Google Hacks Privacy Disaster At Twitter: Direct Messages Exposed Social-networking sites concern cybersecurity experts

A Key Requirement for Deploying Social Media is Establishing Security

Without security, the integrity of organizational IT resources will be at risk therefore, security is everyones business Security is an increasingly important issue because of an increasing number of threats

Security Concepts
Authentication: The process by which one entity verifies that another entity is who they claim to be Authorization: The process that ensures that a person has the right to access certain resources Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Integrity: Being about to protect data from being altered or destroyed in an unauthorized or accidental manner Confidentiality: Keeping private or sensitive information from being disclosed to unauthorized individuals, entities, or processes Nonrepudiation: The ability to limit parties from refuting that a legitimate transaction took place, usually by means of a signature

Types of Threats and Attacks

Nontechnical attack: An attack that uses chicanery to trick people into revealing sensitive information or performing actions that compromise the security of a network

Types of Threats and Attacks (cont.)

Social engineering: A type of nontechnical attack that uses social pressures to trick computer users into compromising computer networks to which those individuals have access

Types of Threats and Attacks (cont.)

Multiprong approach used to combat social engineering:
1. Education and training 2. Policies and procedures 3. Penetration testing

Types of Threats and Attacks (cont.)

Technical attack: An attack perpetrated using software and systems knowledge or expertise

Types of Threats and Attacks (cont.)

Denial-of-service (DoS) attack: An attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources

Types of Threats and Attacks (cont.)

Distributed denial-of-service (DDoS) attack: A denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses these multiple computers to send a flood of data packets to the target computer

Types of Threats and Attacks (cont.)

Malware: A generic term for malicious software
The severity of virus attacks are increasing substantially, requiring much more time and money to recover 85% of survey respondents said that their organizations had been the victims of email viruses in 2002

Types of Threats and Attacks

Malware takes a variety of forms - both pure and hybrid
Virus: A piece of software code that inserts itself into a host, including the operating systems, to propagate; it requires that its host program be run to activate it Worm: A software program that runs independently, consuming the resources of its host in order to maintain itself and is capable of propagating a complete working version of itself onto another machine Macro virus or macro worm: A virus or worm that is executed when the application object that contains the macro is opened or a particular procedure is executed Trojan horse: A program that appears to have a useful function but that contains a hidden function that presents a security risk

CERT: Recommendations for Governing Organizational Security

Questions to ask:
What is at risk? How much security is enough How should an organization
Develop policies on security Achieve and sustain proper security
The CERT recommendations are derived from a report written by Julia Allen entitled Governing for Enterprise Security, which may be found at http://www.cert.org/archive/pdf/05tn023.pdf

 What is at risk?

CERT: Recommendations for Governing Organizational Security

Trust that the public has in your organization Reputation and brand Shareholder value Market confidence Regulatory compliance
Fines Jail time

Market share Customer privacy Ongoing, uninterrupted operations Morale of organizational members

CERT: Recommendations for Governing Organizational Security

How Much Security is Enough?
Managements perspective needs to shift
From Scope: Technical problem Ownership: Enterprise Funding: Expense Focus: Intermittent Driver: External Application: Platform/practice Goal: IT security To Enterprise problem IT Investment Integrated Enterprise Process Enterprise

CERT: Recommendations for Governing Organizational Security

Good Security Strategy Questions
What needs to be protected?
Why does it need to be protected? What happens if it is not protected?

What potential adverse consequences need to be prevented?

What will be the cost? How much of a disruption can we stand before we take action?

How do we effectively manage the residual risk when protection and prevention actions are not taken?

CERT: Recommendations for Evolving the Security Approach

CERT: Recommendations for Evolving the Security Approach

CERT: Recommendations for Evolving the Security Approach

What Does Effective Security Look Like at the Enterprise Level?
Its no longer solely under ITs control Achievable, measurable objectives are defined and included in strategic and operational plans Functions across the organization view security as part of their job (e.g., Audit) and are so measured Adequate and sustained funding is a given Senior executives visibly sponsor and measure this work against defined performance parameters Considered a requirement of being in business

Managing IS and Social Media Technology

Why Establish a Strategy for Social Media?

To provide direction for diverse segments of the organization To communicate a vision of the future To provide a coherent and consistent theme that can be used in making individual decisions Such a dialog helps managers and IS professionals make decisions about how the business of IS will be conducted
Page

The results of the process

An Information Resources Assessment
Information resources assessment includes inventorying and critically evaluating these resources in terms of how well they are meeting the organizations business needs

The results of the process

Information Vision and Architecture
Information vision a written expression of the desired future about how information will be used and managed in the organization

The results of the process

Information Vision and Architecture
Information vision a written expression of the desired future about how information will be used and managed in the organization Information technology architecture depicts the way an organizations information resources will be deployed to deliver that vision

The results of the process

Information Resources Plans
Strategic IS plan contains a set of longer-term objectives that represent measurable movement toward the information vision and technology architecture and a set of associated major initiatives that must be undertaken to achieve these objectives

The results of the process

Information Resources Plans
Strategic IS plan contains a set of longer-term objectives that represent measurable movement toward the information vision and technology architecture and a set of associated major initiatives that must be undertaken to achieve these objectives

Operational IS plan is a precise set of shorterterm goals and associated projects that will be executed by the IS department and by business managers in support of the strategic IS plan

THE PROCESS OF SETTING DIRECTION

Assessment Vision Strategic Planning Operational Planning

THE PROCESS OF SETTING DIRECTION

Strategic Planning
the process of constructing a viable fit between the organizations objectives and resources and its changing market and technological opportunities

THE PROCESS OF SETTING DIRECTION

Operational Planning
lays out the major actions the organization needs to carry out in the shorter term to activate its strategic initiatives

Business Plan vs. Strategy

Chesbrough and Rosenbloom (2003)
Creating value vs. capturing value - the business model focus is on value creation. While the business model also addresses how that value will be captured by the firm, strategy goes further by focusing on building a sustainable competitive advantage. Business value vs. shareholder value - the business model is an architecture for converting innovation to economic value for the business. However, the business model does not focus on delivering that business value to the shareholder. For example, financing methods are not considered by the business model but nonetheless impact shareholder value. Assumed knowledge levels - the business model assumes a limited environmental knowledge, whereas strategy depends on a more complex analysis that requires more certainty in the knowledge of the environment.