Choosing a Security

Option: The Info

Secure Methodology

Presented by
Radhika Kumaran
I ME Software Engg
Overview of the presentation
 This presentation deals with a four step process that is
used in most of the organizations today to evaluate
assets to be protected ,potential assailants and likely
method and tactics . The aim is to pull the results
together and outline the plan of action for investigating
in cyber security the ways that protect the most critical
organizational information and processes.
The Info Secure Method
 Initially developed by the RAND corporation, this
method has gained popularity as it is flexible and
helps understanding the security that money can
buy.
 It addresses three important questions essential to
information security systems:
1. Who are the likely assailants?
2. What are their potential methods and tactics?
3. What are the most important assets to protect?
Four Steps in Info
Secure
1. Ranking and Risk analysis
2. Methods of Protection
3. Gap Analysis and Ranking
4. Identify Course of Action
Step 1:Ranking and Risk Analysis

 Analyze the risks the organization faces

based on corporate assets, capabilities,
systems and products.
 Ranking or ordering the assets at risk is
essential.
Example asset classification matrix
Asset Classification
Corporate products plans Business ending

Client information Business ending

Company sensitive business plans Recoverable

contract
Corporate human resources Recoverable

Travel information Nuisance

Personal financial Nuisance

Asset versus assailant matrix
Asset Classification Foreign Organized Random Insider
country crime crime
Corporate Business ending 3 1 1 2
products
plans
Client Business ending 2 3 3 3
contract
information

Company Recovrable 3 2 2 3
sensitive
business
plans

Travel Nuisance 1 1 1 1
information
 Example history of assailants and risk

Assailant Prior attack Attack success Likely ?

Foreign country Yes Yes 3

Organized crime Yes Partial 3

Random crime No Unknown 2

Insider Unknown Unknown 2

Example assailant tactics matrix

Assailant Trojan Physical Insider Other

access
Foreign country 3 1 1 2

Organized 2 3 3 3
crime

Random crime 1 1 1 1

Insider 3 2 2 2
Step 2:Methods of
Protection
The next major step in Info Secure
method is to identify what types of
protection are available to counter
the threats identified in the previous
step. The organizations need to first
check the security landscape and
add necessary measures.
Example matrix of current practice

Asset Tactic Current security

approach
Corporate products plans Trojan , physical access, Firewall, employee
insider, other badges, access codes

Client contract information Trojan , physical access, Firewall, employee

insider, other badges, access codes

Company sensitive Trojan , physical access, Firewall, employee

business plans insider, other badges, access codes

Travel information Trojan , physical access, Firewall, employee

insider, other badges, access codes
Deciding on new measures
 Based on the previous table we need to
consider new counteractive measures to
contain threats .
 A new table can then be created with an
added column of improved measures.
 Example for improved measures included matrix

Asset Tactic Current Improved

security security
approach measures
Current product Trojan, physical Firewall , access Very restricted
plan access , others codes, employee access to data on a
badges need to know basis.
Step 3:Gap analysis
and ranking

The two right most columns of the revised

table are compared and the ‘gap’ of the
current and the desired security measures
are analyzed. To close this gap new
projects can be considered .
Example for ranked project list

Priority Project Policy impact Staff impact

description
1 Notifying staff Minor Moderate

2 Monitoring outgoing Moderate Moderate

email

2 Disallowing Major Major

sensitive data on
corporate systems
3 Implementing two Moderate Major
factor authentication
Step 4: Identify
course of action
After considering the options cost is considered.
Costs belong to three major categories:
1.Capital cost
2.Overhead cost
3.Expense
Selection of strategies
The analysis supporting the selection rely
on one of the several strategies. For
example:
1. Target price
2. Highest priority
Example projects with associated cost
Priority Project Capital cost Overhead Expense
description cost
1 Notifying staff $------------ $---------- $--------

2 Monitoring $------------ $------------ $------------

outgoing email

2 Disallowing $------------ $------------ $------------

sensitive data
on corporate
systems

3 Implementing $------------ $------------ $------------

two factor
authentication
Conclusion

This approach is better than most of the

cyber security methods as it is not rigid
and it takes into consideration corporate
priorities, culture and investment patterns.
It lets an organization make its own cyber
security choices with significant inputs from
its own staff and managers with outside
experts as needed.