O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Responsive Security

Book Description

Responsive Security: Be Ready to Be Secure explores the challenges, issues, and dilemmas of managing information security risk, and introduces an approach for addressing concerns from both a practitioner and organizational management standpoint. Utilizing a research study generated from nearly a decade of action research and real-time experience, this book introduces the issues and dilemmas that fueled the study, discusses its key findings, and provides practical methods for managing information security risks. It presents the principles and methods of the responsive security approach, developed from the findings of the study, and details the research that led to the development of the approach.

  • Demonstrates the viability and practicality of the approach in today’s information security risk environment
  • Demystifies information security risk management in practice, and reveals the limitations and inadequacies of current approaches
  • Provides comprehensive coverage of the issues and challenges faced in managing information security risks today

The author reviews existing literature that synthesizes current knowledge, supports the need for, and highlights the significance of the responsive security approach. He also highlights the concepts, strategies, and programs commonly used to achieve information security in organizations.

Responsive Security: Be Ready to Be Secure

examines the theories and knowledge in current literature, as well as the practices, related issues, and dilemmas experienced during the study. It discusses the reflexive analysis and interpretation involved in the final research cycles, and validates and refines the concepts, framework, and methodology of a responsive security approach for managing information security risk in a constantly changing risk environment.

Table of Contents

  1. Cover
  2. Half Title
  3. Title
  4. Copyright
  5. Contents
  6. List of Figures
  7. List of Tables
  8. List of Abbreviations
  9. Preface
  10. Acknowledgments
  11. Author
  12. 1 Introduction
    1. 1.1 Background and Motivations
      1. 1.1.1 Business, Technology, and Risk Development
      2. 1.1.2 Common Knowledge, Standards, and Practices
      3. 1.1.3 Profession, Organizational Role, and Function
    2. 1.2 Purpose
    3. 1.3 Questions
    4. 1.4 Research Methodology
    5. 1.5 Organization of Subsequent Chapters
    6. Endnotes
  13. 2 Knowledge, Issues, and Dilemmas
    1. 2.1 Introduction
    2. 2.2 Information Security
    3. 2.3 Principles and Approaches
      1. 2.3.1 Security: As Strong as the Weakest Link
      2. 2.3.2 Defense in Depth
        1. 2.3.2.1 Use of Security Technology
        2. 2.3.2.2 Baseline Security
      3. 2.3.3 No Perfect Security
      4. 2.3.4 Information Security Is Information Risk Management
        1. 2.3.4.1 Risk, Risk Assessment, and Risk Management
        2. 2.3.4.2 Problems of Risk-Based Approach
      5. 2.3.5 A Circular Problem
      6. 2.3.6 IT Security Governance
    4. 2.4 Information Security Risk Management Strategy
      1. 2.4.1 Protect–Detect–React (PDR)
      2. 2.4.2 Detect–React–Protect (DRP)
      3. 2.4.3 Need for Strategic Thinking
    5. 2.5 Information Security Program
      1. 2.5.1 Organization and People
      2. 2.5.2 Risk Assessment and Management
      3. 2.5.3 Policies
      4. 2.5.4 Communication
      5. 2.5.5 Developments
      6. 2.5.6 Operational Security
      7. 2.5.7 Performance Measurements
    6. 2.6 Responding to Change
    7. 2.7 Current Research and Social Perspectives
    8. 2.8 Conclusion
    9. Endnotes
  14. 3 Practice, Issues, and Dilemmas
    1. 3.1 Information Risk Management (IRM) Practices
      1. 3.1.1 Organization and Management Commitments
        1. 3.1.1.1 Stakeholder Support for IRM Program
      2. 3.1.2 Culture of Compliance and Control-Oriented Risk Management
      3. 3.1.3 Theory of Action and Theory in Use
      4. 3.1.4 Risk of Habituation
      5. 3.1.5 Information Risk Management Organization
        1. 3.1.5.1 Systems of Knowledge Power
      6. 3.1.6 Responding to Security Incidents
        1. 3.1.6.1 Incident 1: SNMP Vulnerability
        2. 3.1.6.2 Incident 2: SPAM Mail
      7. 3.1.7 Uncertainties in Information Security Risk Analysis and Management
      8. 3.1.8 Causal Analysis of Information Security Systems
      9. 3.1.9 Summary of Issues and Dilemmas
    2. 3.2 Social–Technical Approach
      1. 3.2.1 Model A Approach
        1. 3.2.1.1 Addressing Theories of Actions of IRMs and Other Managers
        2. 3.2.1.2 Addressing Auditors’ Theories of Actions
        3. 3.2.1.3 Competency and Trust
        4. 3.2.1.4 Five-Level Action Map (FLAM)
        5. 3.2.1.5 Combining Social and Technical Aspects of Information Security Risk Management Systems
        6. 3.2.1.6 Communicating Information Security Risk Status
        7. 3.2.1.7 Limitations of New IRM Systems
        8. 3.2.1.8 Learning through Model A Approach
      2. 3.2.2 Model B Approach
        1. 3.2.2.1 IRM Organization Model
        2. 3.2.2.2 Learning through the Model B Approach
        3. 3.2.2.3 Learning from SQL Slammer, Blaster, and SARS Incidents
        4. 3.2.2.4 Business Continuity and Disaster Recovery Planning
      3. 3.2.3 Summary of Issues and Dilemmas and Research Outcome
      4. Endnotes
  15. 4 Responsive Security
    1. 4.1 Piezoelectric Metaphor
    2. 4.2 BETA’s Approach to Emerging Risks and Attacks
    3. 4.3 Learning from Tsunami Incident
    4. 4.4 Revealing Uncertainties and Making Risks Visible
    5. 4.5 Responsive, Reactive, and Proactive Strategies
    6. 4.6 Criticality Alignment
    7. 4.7 Testing Responsive Approach at GAMMA
    8. 4.8 Learning from Antinny Worm Case Study
    9. 4.9 Refining Responsive Approach
      1. 4.9.1 Risk Forecasting
      2. 4.9.2 Scenario Planning and Development
      3. 4.9.3 Responsiveness Requirements and Action Strategies
        1. 4.9.3.1 Information Security Policies
        2. 4.9.3.2 Information Security Program
        3. 4.9.3.3 Readiness Assurance
    10. 4.10 Responsive Learning
    11. Endnotes
  16. 5 Conclusions and Implications
    1. 5.1 Summary and Results
    2. 5.2 Conclusions about Each Research Question
    3. 5.3 Implications for Theory
    4. 5.4 Implications for Policy and Practice
    5. 5.5 Suggestions for Further Research
    6. Endnotes
  17. Appendix A: Action Research Cycles
  18. Appendix B: Dialectic Model of Systems Inquiry (DMSI)
  19. Appendix C: Framework for Information Risk Management
  20. References
  21. Index