SlideShare uma empresa Scribd logo

Cases

Transferir como PPT, PDF
Alexandra
Alexandra
Tecnologia
1 de 24
Information Security – from Practice to Theory: Case Study Based Learning Alexandra Savelieva, Asst. Professor, PhD Sergey Avdoshin, Professor, PhD, Head of Software Engineering Department National Research University Higher School of Economics, Moscow, Russia School of Software Management
Information security education problem Academia vs. Real World  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions Higher School of Economics - 2012 2
How to make information security course: T AUD  interactive and entertaining TARGE IENC E  facilitating development of analytical skills  encouraging active use of theoretical knowledge  close to real-world situation  adaptive to students’ level and background  admitting both teamwork and independent work  with minimal requirements to laboratory equipment Higher School of Economics - 2012 3
Case study method  Case studies are stories with educational message (Source: Clyde Freeman Herreid, “Start with a story”)  Purpose: teaching students work individually / as a team to: • Analyse information, • Process it in a systematic way • Outline key problems • Generate and evaluate alternative solutions • Select optimal solution and prepare for actions Higher School of Economics - 2012 4
According to the standard ISO/IEC 27001:2005  Information security event is "an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant“.  Information security incident is "a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security". Higher School of Economics - 2012 5
Structure of case study Higher School of Economics - 2012 6
Methods and tools  Terminology & definitions  Static & Dynamic perspective  Parkerian hexad  STRIDE security model  Event chain  What-if analysis Higher School of Economics - 2012 7
Terminology and relationships  Definition 1. Information security risk refers to probability and impact of an information security property violation threat.  Definition 2. Information security property is a subset of six fundamental elements of information security (Confidentiality, Possession or control, Integrity, Authenticity, Availability, and Utility) that can be attributed to an information asset.  Definition 3. Information asset is a piece of information that is valuable to an organization.  Definition 4. Threat is a process that can lead to violation of information security property.  Definition 5. Malicious activity refers to behavior of a person or a system that produces one or more threats. Higher School of Economics - 2012 8
The Classic Triad C–I–A Higher School of Economics - 2012 9
The Parkerian Hexad Protect the 6 atomic elements of INFOSEC:  Confidentiality  Possession or control  Integrity  Authenticity  Availability  Utility Kabay, M. E. (1996). The NCSA Guide to Enterprise Security: Protecting Information Assets. McGraw-Hill (New York). ISBN 0-07- 033147-2. xii + 388 pp. Higher School of Economics - 2012 10
STRIDE classification of threats Threat Property Definition Example Spoofing Authentication Impersonating Pretending to be any of billg, microsoft.com or Authorization something or ntdll.dll someone else. Tampering Data Validation Modifying data or Modifying a DLL on disk or DVD, or a packet as it Sensitive Data code traverses the LAN. Cryptography Repudiation Cryptography Claiming to have not “I didn’t send that email,” “I didn’t modify that Auditing performed an action. file,” “I certainly didn’t visit that web site, dear!” Information Session Mgt Exposing information Allowing someone to read the Windows source Disclosure Exception Mgt to someone not code; publishing a list of customers to a web site. authorized to see it Denial of Configuration Mgt Deny or degrade Crashing Windows or a web site, sending a packet Service service to users and absorbing seconds of CPU time, or routing packets into a black hole. Elevation of Exception Mgt Gain capabilities Allowing a remote internet user to run commands Privilege Authorization without proper is the classic example, but also going from a authorization limited user to admin. • M.Howard and S.Lipner, The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, pp.304 (2006) © Microsoft / Secure Development Lifecycle 11
Static perspective Information Malicious Asset activity SECURITY PROPERTY RISK SECURITY THREAT Higher School of Economics - 2012 12
Dynamic perspective Informati on System (Target of Attack) Serdiouk, V.A.: Advances in Technologies for Protection against Attacks in Corporate Networks. Tekhnosphera, Moscow (2007) Higher School of Economics - 2012 13
Combined perspective: Event Chain Attack 1 Attack 2 Attack n Higher School of Economics - 2012 14
Case study analysis: table representation Higher School of Economics - 2012 15
Application Higher School of Economics - 2012 16
Case study example: Event chain Higher School of Economics - 2012 17
Case study example analysis Higher School of Economics - 2012 18
Our contributions  Conceptual schema for static analysis of information security event  Event chain visualization for chronological analysis of information security incident  Table representation template for the results of case study analysis  Algorithm for applying the above tools to a case study  Combination of various techniques from threat modeling (STRIDE), project management (Event Chain Diagrams) and information security risk analysis  Framework in line with ISO/IEC 27001:2005 which belongs to the family of the most popular standards on information security management Higher School of Economics - 2012 19
Approbation  Software Engineering Department of National Research University “Higher School of Economics” • “Information security management” (MSc programme, 2nd year) • “Methods of information protection” (BSc programme, 4th year).  Training Labs'2010 conference • Format: interactive case study training “Risk management in the world of digital dependencies”  Course “Microsoft technologies and products in information protection”, supported by a grant from Microsoft • Microsoft faculty resource center, https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=8476&Login • Internet university for information technologies, http://www.intuit.ru/department/security/mssec/ Higher School of Economics - 2012 20
Results - presentation & discussion  Workshop on Teaching Business Informatics: Intelligent Educational Systems and E-learning, BIR 2012, Nizhny Novgorod  Central & Eastern European Software Engineering Conference in Russia 2012, Moscow  International conference “Management of Quality. Information Systems Management MQ-ISM-2012”, Vienna  “IT Security for the Next Generation - European Cup 2011”, Munich  “2011 Workshop on Cyber Security and Global Affairs”, Budapest  Training Labs’2010, Moscow Higher School of Economics - 2012 21
Advantages of case study method  Focus on practical aspects of information security in the real world  High level of students’ interest and involvement  Understanding of organizational decisions and corporate culture impact on information security  Demonstration of risk management principles application in the context of information protection  Practical classes with minimum requirements to equipment  Multifaceted approach to information security – from the perspective of user, technical specialist, CFO, architect, top-manager Higher School of Economics - 2012 22
Acknowledgements Higher School of Economics - 2012 23
Information Security – from Practice to Theory: Case Study Based Learning asavelieva@hse.ru savdoshin@hse.ru

Recomendados

Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Pdf7
Pdf7Pdf7
Pdf7Editor IJARCET
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)BDPA Education and Technology Foundation
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
WP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesWP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesSE_NAM_Training
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 

Recomendados

Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Pdf7
Pdf7Pdf7
Pdf7Editor IJARCET
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)Newsletter: BDPA Washington DC (Oct 2011)
Newsletter: BDPA Washington DC (Oct 2011)BDPA Education and Technology Foundation
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
WP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesWP82 Physical Security in Mission Critical Facilities
WP82 Physical Security in Mission Critical FacilitiesSE_NAM_Training
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
A Novel Security Approach for Communication using IOT
A Novel Security Approach for Communication using IOTA Novel Security Approach for Communication using IOT
A Novel Security Approach for Communication using IOTIJEACS
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Hongyang Wang
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Dale Butler
 
Removing the Cloud of Insecurity
Removing the Cloud of InsecurityRemoving the Cloud of Insecurity
Removing the Cloud of InsecurityRackspace
 
B018211016
B018211016B018211016
B018211016IOSR Journals
 
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
 
CLUSIR DU 12 JUIN
CLUSIR DU 12 JUIN CLUSIR DU 12 JUIN
CLUSIR DU 12 JUIN ndelannoy
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...IAEME Publication
 
Atos wp-cyberrisks
Atos wp-cyberrisksAtos wp-cyberrisks
Atos wp-cyberrisksHenk van der Tweel
 
Measuring Information Security: Understanding And Selecting Appropriate Metrics
Measuring Information Security: Understanding And Selecting Appropriate MetricsMeasuring Information Security: Understanding And Selecting Appropriate Metrics
Measuring Information Security: Understanding And Selecting Appropriate MetricsCSCJournals
 
Implications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricImplications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricMark Underwood
 
76 s201918
76 s20191876 s201918
76 s201918IJRAT
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2fphart
 
The OK! technology - Exposé v3.26 20170208
The OK! technology - Exposé v3.26 20170208The OK! technology - Exposé v3.26 20170208
The OK! technology - Exposé v3.26 20170208Manuel Mejías
 
Cloud Security Alliance Q2-2012 Atlanta Meeting
Cloud Security Alliance Q2-2012 Atlanta MeetingCloud Security Alliance Q2-2012 Atlanta Meeting
Cloud Security Alliance Q2-2012 Atlanta MeetingTaylor Banks
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
Ci31560566
Ci31560566Ci31560566
Ci31560566IJERA Editor
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outlineAhmet E
 
Adversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
Adversarial Attacks and Defenses in Intrusion Detection Systems: A SurveyAdversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
Adversarial Attacks and Defenses in Intrusion Detection Systems: A SurveyCSCJournals
 
Risk Analysis On It Assets Using Case Based Reasoning
Risk Analysis On It Assets Using Case Based ReasoningRisk Analysis On It Assets Using Case Based Reasoning
Risk Analysis On It Assets Using Case Based ReasoningAfeef Veetil
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 

Mais conteúdo relacionado

Mais procurados

A Novel Security Approach for Communication using IOT
A Novel Security Approach for Communication using IOTA Novel Security Approach for Communication using IOT
A Novel Security Approach for Communication using IOTIJEACS
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Hongyang Wang
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Dale Butler
 
Removing the Cloud of Insecurity
Removing the Cloud of InsecurityRemoving the Cloud of Insecurity
Removing the Cloud of InsecurityRackspace
 
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...researchinventy
 
CLUSIR DU 12 JUIN
CLUSIR DU 12 JUIN CLUSIR DU 12 JUIN
CLUSIR DU 12 JUIN ndelannoy
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...IAEME Publication
 
Measuring Information Security: Understanding And Selecting Appropriate Metrics
Measuring Information Security: Understanding And Selecting Appropriate MetricsMeasuring Information Security: Understanding And Selecting Appropriate Metrics
Measuring Information Security: Understanding And Selecting Appropriate MetricsCSCJournals
 
Implications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricImplications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricMark Underwood
 
76 s201918
76 s20191876 s201918
76 s201918IJRAT
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itMessiernl
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2fphart
 
The OK! technology - Exposé v3.26 20170208
The OK! technology - Exposé v3.26 20170208The OK! technology - Exposé v3.26 20170208
The OK! technology - Exposé v3.26 20170208Manuel Mejías
 
Cloud Security Alliance Q2-2012 Atlanta Meeting
Cloud Security Alliance Q2-2012 Atlanta MeetingCloud Security Alliance Q2-2012 Atlanta Meeting
Cloud Security Alliance Q2-2012 Atlanta MeetingTaylor Banks
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outlineAhmet E
 
Adversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
Adversarial Attacks and Defenses in Intrusion Detection Systems: A SurveyAdversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
Adversarial Attacks and Defenses in Intrusion Detection Systems: A SurveyCSCJournals
 

Mais procurados (20)

A Novel Security Approach for Communication using IOT
A Novel Security Approach for Communication using IOTA Novel Security Approach for Communication using IOT
A Novel Security Approach for Communication using IOT
 
Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010Uk Security Breach Investigations Report 2010
Uk Security Breach Investigations Report 2010
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012
 
Removing the Cloud of Insecurity
Removing the Cloud of InsecurityRemoving the Cloud of Insecurity
Removing the Cloud of Insecurity
 
B018211016
B018211016B018211016
B018211016
 
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...An Overview of Information Systems Security Measures in Zimbabwean Small and ...
An Overview of Information Systems Security Measures in Zimbabwean Small and ...
 
CLUSIR DU 12 JUIN
CLUSIR DU 12 JUIN CLUSIR DU 12 JUIN
CLUSIR DU 12 JUIN
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...
 
Atos wp-cyberrisks
Atos wp-cyberrisksAtos wp-cyberrisks
Atos wp-cyberrisks
 
Measuring Information Security: Understanding And Selecting Appropriate Metrics
Measuring Information Security: Understanding And Selecting Appropriate MetricsMeasuring Information Security: Understanding And Selecting Appropriate Metrics
Measuring Information Security: Understanding And Selecting Appropriate Metrics
 
Implications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricImplications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy Fabric
 
76 s201918
76 s20191876 s201918
76 s201918
 
Wall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk itWall street journal 22 sept 10 - perspectives on risk it
Wall street journal 22 sept 10 - perspectives on risk it
 
Vol13 no2
Vol13 no2Vol13 no2
Vol13 no2
 
The OK! technology - Exposé v3.26 20170208
The OK! technology - Exposé v3.26 20170208The OK! technology - Exposé v3.26 20170208
The OK! technology - Exposé v3.26 20170208
 
Cloud Security Alliance Q2-2012 Atlanta Meeting
Cloud Security Alliance Q2-2012 Atlanta MeetingCloud Security Alliance Q2-2012 Atlanta Meeting
Cloud Security Alliance Q2-2012 Atlanta Meeting
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
Ci31560566
Ci31560566Ci31560566
Ci31560566
 
Cissp exam-outline
Cissp exam-outlineCissp exam-outline
Cissp exam-outline
 
Adversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
Adversarial Attacks and Defenses in Intrusion Detection Systems: A SurveyAdversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
Adversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
 

Semelhante a Cases

Risk Analysis On It Assets Using Case Based Reasoning
Risk Analysis On It Assets Using Case Based ReasoningRisk Analysis On It Assets Using Case Based Reasoning
Risk Analysis On It Assets Using Case Based ReasoningAfeef Veetil
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Data Protection for Higher Education
Data Protection for Higher EducationData Protection for Higher Education
Data Protection for Higher EducationKate Carruthers
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Leslie McFarlin
 
An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...PhD Assistance
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...IJECEIAES
 
Trustwave 2012 Global Güvenlik Raporu
Trustwave 2012 Global Güvenlik RaporuTrustwave 2012 Global Güvenlik Raporu
Trustwave 2012 Global Güvenlik RaporuErol Dizdar
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity laurieannwilliams
 
An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...PhD Assistance
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19IBM Sverige
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
The Top 5 Challenges Facing Security Operations: Report Insights - Adarma
The Top 5 Challenges Facing Security Operations: Report Insights - AdarmaThe Top 5 Challenges Facing Security Operations: Report Insights - Adarma
The Top 5 Challenges Facing Security Operations: Report Insights - Adarmaonline Marketing
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsPuneet Kukreja
 
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017Maurice Dawson
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
Security Everywhere in the Digital Economy
Security Everywhere in the Digital EconomySecurity Everywhere in the Digital Economy
Security Everywhere in the Digital EconomyConnected Futures
 

Semelhante a Cases (20)

Risk Analysis On It Assets Using Case Based Reasoning
Risk Analysis On It Assets Using Case Based ReasoningRisk Analysis On It Assets Using Case Based Reasoning
Risk Analysis On It Assets Using Case Based Reasoning
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
IANS-2008
IANS-2008IANS-2008
IANS-2008
 
Data Protection for Higher Education
Data Protection for Higher EducationData Protection for Higher Education
Data Protection for Higher Education
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018Exploration Draft Document- CEM Machine Learning & AI Project 2018
Exploration Draft Document- CEM Machine Learning & AI Project 2018
 
An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...
 
Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...Optimizing cybersecurity incident response decisions using deep reinforcemen...
Optimizing cybersecurity incident response decisions using deep reinforcemen...
 
Trustwave 2012 Global Güvenlik Raporu
Trustwave 2012 Global Güvenlik RaporuTrustwave 2012 Global Güvenlik Raporu
Trustwave 2012 Global Güvenlik Raporu
 
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity
 
An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...An overview of cyber security data science from a perspective of machine lear...
An overview of cyber security data science from a perspective of machine lear...
 
CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
The Top 5 Challenges Facing Security Operations: Report Insights - Adarma
The Top 5 Challenges Facing Security Operations: Report Insights - AdarmaThe Top 5 Challenges Facing Security Operations: Report Insights - Adarma
The Top 5 Challenges Facing Security Operations: Report Insights - Adarma
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
 
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Security Everywhere in the Digital Economy
Security Everywhere in the Digital EconomySecurity Everywhere in the Digital Economy
Security Everywhere in the Digital Economy
 

Último

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Último (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Cases

  • 1. Information Security – from Practice to Theory: Case Study Based Learning Alexandra Savelieva, Asst. Professor, PhD Sergey Avdoshin, Professor, PhD, Head of Software Engineering Department National Research University Higher School of Economics, Moscow, Russia School of Software Management
  • 2. Information security education problem Academia vs. Real World  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions  Decisions Higher School of Economics - 2012 2
  • 3. How to make information security course: T AUD  interactive and entertaining TARGE IENC E  facilitating development of analytical skills  encouraging active use of theoretical knowledge  close to real-world situation  adaptive to students’ level and background  admitting both teamwork and independent work  with minimal requirements to laboratory equipment Higher School of Economics - 2012 3
  • 4. Case study method  Case studies are stories with educational message (Source: Clyde Freeman Herreid, “Start with a story”)  Purpose: teaching students work individually / as a team to: • Analyse information, • Process it in a systematic way • Outline key problems • Generate and evaluate alternative solutions • Select optimal solution and prepare for actions Higher School of Economics - 2012 4
  • 5. According to the standard ISO/IEC 27001:2005  Information security event is "an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant“.  Information security incident is "a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security". Higher School of Economics - 2012 5
  • 6. Structure of case study Higher School of Economics - 2012 6
  • 7. Methods and tools  Terminology & definitions  Static & Dynamic perspective  Parkerian hexad  STRIDE security model  Event chain  What-if analysis Higher School of Economics - 2012 7
  • 8. Terminology and relationships  Definition 1. Information security risk refers to probability and impact of an information security property violation threat.  Definition 2. Information security property is a subset of six fundamental elements of information security (Confidentiality, Possession or control, Integrity, Authenticity, Availability, and Utility) that can be attributed to an information asset.  Definition 3. Information asset is a piece of information that is valuable to an organization.  Definition 4. Threat is a process that can lead to violation of information security property.  Definition 5. Malicious activity refers to behavior of a person or a system that produces one or more threats. Higher School of Economics - 2012 8
  • 9. The Classic Triad C–I–A Higher School of Economics - 2012 9
  • 10. The Parkerian Hexad Protect the 6 atomic elements of INFOSEC:  Confidentiality  Possession or control  Integrity  Authenticity  Availability  Utility Kabay, M. E. (1996). The NCSA Guide to Enterprise Security: Protecting Information Assets. McGraw-Hill (New York). ISBN 0-07- 033147-2. xii + 388 pp. Higher School of Economics - 2012 10
  • 11. STRIDE classification of threats Threat Property Definition Example Spoofing Authentication Impersonating Pretending to be any of billg, microsoft.com or Authorization something or ntdll.dll someone else. Tampering Data Validation Modifying data or Modifying a DLL on disk or DVD, or a packet as it Sensitive Data code traverses the LAN. Cryptography Repudiation Cryptography Claiming to have not “I didn’t send that email,” “I didn’t modify that Auditing performed an action. file,” “I certainly didn’t visit that web site, dear!” Information Session Mgt Exposing information Allowing someone to read the Windows source Disclosure Exception Mgt to someone not code; publishing a list of customers to a web site. authorized to see it Denial of Configuration Mgt Deny or degrade Crashing Windows or a web site, sending a packet Service service to users and absorbing seconds of CPU time, or routing packets into a black hole. Elevation of Exception Mgt Gain capabilities Allowing a remote internet user to run commands Privilege Authorization without proper is the classic example, but also going from a authorization limited user to admin. • M.Howard and S.Lipner, The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, pp.304 (2006) © Microsoft / Secure Development Lifecycle 11
  • 12. Static perspective Information Malicious Asset activity SECURITY PROPERTY RISK SECURITY THREAT Higher School of Economics - 2012 12
  • 13. Dynamic perspective Informati on System (Target of Attack) Serdiouk, V.A.: Advances in Technologies for Protection against Attacks in Corporate Networks. Tekhnosphera, Moscow (2007) Higher School of Economics - 2012 13
  • 14. Combined perspective: Event Chain Attack 1 Attack 2 Attack n Higher School of Economics - 2012 14
  • 15. Case study analysis: table representation Higher School of Economics - 2012 15
  • 16. Application Higher School of Economics - 2012 16
  • 17. Case study example: Event chain Higher School of Economics - 2012 17
  • 18. Case study example analysis Higher School of Economics - 2012 18
  • 19. Our contributions  Conceptual schema for static analysis of information security event  Event chain visualization for chronological analysis of information security incident  Table representation template for the results of case study analysis  Algorithm for applying the above tools to a case study  Combination of various techniques from threat modeling (STRIDE), project management (Event Chain Diagrams) and information security risk analysis  Framework in line with ISO/IEC 27001:2005 which belongs to the family of the most popular standards on information security management Higher School of Economics - 2012 19
  • 20. Approbation  Software Engineering Department of National Research University “Higher School of Economics” • “Information security management” (MSc programme, 2nd year) • “Methods of information protection” (BSc programme, 4th year).  Training Labs'2010 conference • Format: interactive case study training “Risk management in the world of digital dependencies”  Course “Microsoft technologies and products in information protection”, supported by a grant from Microsoft • Microsoft faculty resource center, https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=8476&Login • Internet university for information technologies, http://www.intuit.ru/department/security/mssec/ Higher School of Economics - 2012 20
  • 21. Results - presentation & discussion  Workshop on Teaching Business Informatics: Intelligent Educational Systems and E-learning, BIR 2012, Nizhny Novgorod  Central & Eastern European Software Engineering Conference in Russia 2012, Moscow  International conference “Management of Quality. Information Systems Management MQ-ISM-2012”, Vienna  “IT Security for the Next Generation - European Cup 2011”, Munich  “2011 Workshop on Cyber Security and Global Affairs”, Budapest  Training Labs’2010, Moscow Higher School of Economics - 2012 21
  • 22. Advantages of case study method  Focus on practical aspects of information security in the real world  High level of students’ interest and involvement  Understanding of organizational decisions and corporate culture impact on information security  Demonstration of risk management principles application in the context of information protection  Practical classes with minimum requirements to equipment  Multifaceted approach to information security – from the perspective of user, technical specialist, CFO, architect, top-manager Higher School of Economics - 2012 22
  • 23. Acknowledgements Higher School of Economics - 2012 23
  • 24. Information Security – from Practice to Theory: Case Study Based Learning asavelieva@hse.ru savdoshin@hse.ru

Notas do Editor

  1. Good morning, dear colleagues. This is my pleasure today…
  2. I started to teach infosec courses in 2008 to the students specialising in software eng and bus inf At that time, the curriculum represented an overview of state-f-the-art of technologies for infomration protection with a pixie-dust of regulations framework. However, I guickly realised that this approach does not contribute a lot into the development of competent specialists of ICT. When overwhelmed with theoretical material, Students tend to quickly get bored and forget it. What these guys will really need in the future is the ability to DECIDE – where to apply a particular technology, how to design user interface to minimise surface for attack and human error, and so on.
  3. So, my challenge was to design a course that would be interactive and entertaining & contribute into the development of analytical skills encouraging active use of theoretical knowledge close to real-world situation adaptive to students’ level and background admitting both teamwork and independent work with minimal requirements to laboratory equipment
  4. The solution arrived very naturally when I read a story about an information security incident about…. I was so excited that I brought it to the classroom to discuss with students, and received similar enthusiasm from students who were able to use this case as Case studies are stories with educational message [4]. Case study method was introduced in the beginning of 20th century in Harvard Business School primarily for development of analytical and problem-solving skills among training lawyers and managers. Currently educational institutions in the US are actively working on adopting case study method into the educational practice of teaching information security and assurance. Case study analysis was enlisted in [24] among the skills that students at both undergraduate and graduate levels should embrace as a security professional. National Science Foundation sponsored a project titled ”Developing Case Studies for Information Security Curriculum” (2008-2011). In May 2012 three US universities, North Carolina A&T State University, the University of North Carolina at Charlotte, and the University of Tennessee at Chattanooga, have collaboratively conducted a Workshop on Teaching In-formation Assurance through Case Studies and Hands-on Experiences [21]. Participants with diverse backgrounds were encouraged to participate and share innovative IA teaching techniques that could be later adopted by multiple disciplines such as computer science, software engineering, information technology, and business.
  5. The majority of case studies for information security classes are based on a situation made up of one or more unwanted or unexpected events that have compromised, or could very likely compromise, the security of an information asset and affect the business operations. Authors Source – sec inc (for practical reasons, relatively easy to get from the press)
  6. To give an idea of how a typical case study looks… It takes much time to prepare a good case, but this is very rewarding. In o The problem of me as a teacher was to facilitate the discussion so that it does not flow away to the subjects outside the scope of the course (e.g. political, religious and philosophical issues), and stick to application of covered materials as much as possible
  7. In this paper, we focus on designing a framework for case study analysis specific to the information security field. In contrast to existing work where teaching notes are provided on case-by-case basis, we aim at providing a unified set of tools that would allow the educator to get to the root problems of any case study. For this purpose, we bring together methods from project management, threat modeling, and risk analysis.
  8. At this slide we introduce terms and definitions that are used in the rest of the paper, and link our ideas to the existing body of knowledge in information security.
  9. Copyright © 2004 M. E. Kabay. All rights reserved. Page control
  10. Copyright © 2004 M. E. Kabay. All rights reserved. Page See Kabay, M. E. (1996). The NCSA Guide to Enterprise Security: Protecting Information Assets . McGraw-Hill (New York). ISBN 0-07-033147-2. xii + 388 pp. Index. for extensive discussion of these issues.
  11. The advantage of having information security property linked to STRIDE threat model is the availability of mitigation techniques based on threat type. For example recommendations for protection against tampering include Windows Vista Mandatory Integrity Controls, ACLs, Digital signatures, and Message authentication codes (see Secure Development Lifecycle (SDL) in [5] for more details). This is particularly useful for students who study software engineering, since they can see the importance of writing secure code on concrete examples, identify pitfalls of information system designers and propose ideas for threat mitigation using techniques and best practices from SDL methodology.
  12. misplaced