Abstract
There considerable advice in both research and practice oriented literature on the topic of information security. Most of the discussion in literature focuses on how to prevent security attacks using technical countermeasures even though there are a number of other viable strategies such as deterrence, deception, detection and response. This paper reports on a qualitative study, conducted in Korea, to determine how organizations implement security strategies to protect their information systems. The findings reveal a deeply entrenched preventive mindset, driven by the desire to ensure availability of technology and services, and a comparative ignorance of exposure to business security risks. Whilst there was some evidence of usage of other strategies, they were also deployed in a preventive capacity. The paper presents a research agenda that calls for research on enterprise-wide multiple strategy deployment with a focus on how to combine, balance and optimize strategies.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agrell W. (1987) Offensive versus defensive: Military strategy and alternative defence. Journal of Peace Research 24(1): 75–85
Alberts, D. S. (1996). Defensive information warfare. National Defense University: NDU Press Book.
Anderson E. E., Choobineha J. (2008) Enterprise information security strategies. Computers Security 27: 22–29
Anderson, P. (2001). Deception: A healthy part of any defense in-depth strategy. SANS Institute InfoSec Reading Room, 2001 edn. SANS Institute.
Anderson, R. H., & Hearn, A. C. (1996). An exploration of cyberspace security RD investment strategies for DARPA: ‘The day after... in cyberspace’. RAND.
Arce I., McGraw G. (2004) Why attacking systems is a good idea. IEEE Security Privacy 2(4): 17–19
Armstrong D., Carter S., Frazier G., Frazier T. (2004) Autonomic defense: Thwarting automated attacks via real-time feedback control. Complexity 9(2): 41–48
Artail H., Safa H., Sraj M., Kuwatly I., Al-Masri Z. (2006) A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks. Computers & Security 25: 274–288
Barford P., Dacier M., Dietterich T. G., Fredrikson M., Giffin J., Jajodia S. et al (2010) Cyber SA: Situational awareness for cyber defense. Cyber Situational Awareness, Advances in Information Security 46: 3–13
Bauer, M. (2001). Paranoid penguin: Designing and using DMZ networks to protect internet servers. Linux Journal, 2001(83es), 16.
Bearavolu, R., Lakkaraju, K., Yurcik, W., & Raje, H. (2003). A visualization tool for situational awareness of tactical and strategic security events on large and complex computer networks. In Paper presented at the military communications conference (MILCOM) 2003, 13–6 October.
Beauregard, J. E. (2001). Modeling information assurance. Master’s Thesis, Ohio: Air Force Institute of Technology, Air University.
Beckman S. L., Rosenfield D. B. (2008) Operations strategy: Competing in the 21st century. McGraw-Hill, New York
Blumstein A., Cohen J., Nagin D. (1978) Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. National Academy of Science, Washington
Bowen, P., Hash, J., Wilson, M., Bartol, N., & Jamaldinian, G. (2006). Information security handbook: A guide for managers. NIST special publication 800-100. Gaithersburg: NIST.
Brand, R. L. (1990). Coping with the threat of computer security incidents: A primer from prevention through recovery. Pittsburgh: CERT, June 1990.
Browne P. S. (1972) Computer security: A survey. ACM SIGMIS Database 4(3): 1–12
Brykczynski, B., & Small, R. A. (2003). Reducing internet-based intrusions: Effective security patch management. IEEE Software, 20(1), 50–57.
Burnburg, M. K. (2003). A proposed framework for business information security based on the concept of defense-in-depth. Master’s Thesis, Springfield: University of Illinois at Springfield.
Butler, S. A. (2002). Security attribute evaluation method: A cost-benefit approach. In Paper presented at the 24th international conference on software engineering (ICSE ’02), New York.
Byrne P. (2006) Application firewalls in a defence-in-depth design. Network Security 9: 9–11
Cahill, T. P. (2003). Cyber warfare peacekeeping. In Paper presented at the 2003 IEEE workshop on information assurance, June.
Cao, J., Lin, M., Deokar, A., Burgoon, J. K., Crews, J. M., & Adkins, M. (2004). Computer-based training for deception detection: What users want? ISI 2004, LNCS 3073 (pp. 163–175).
Carroll, T. E., & Grosu, D. (2009). A game theoretic investigation of deception in network security. In Paper presented at the 18th international conference on computer communications and networks (ICCCN ’09), January.
Chakrabarti A., Manimaran G. (2002) Internet infrastructure security: A taxonomy. IEEE Network 16(6): 13–21
Cohen F. (1998) A note on the role of deception in information protection. Computers and Security 17(6): 483–506
Cohen, F., & Koike, D. (2004). Misleading attackers with deception. In Paper presented at the information assurance workshop, 2004. Proceedings from the fifth annual IEEE SMC, 10–11 June 2004.
CSSP. (2009). Recommended practice: Improving industrial control systems cybersecurity with defense-in-depth strategies. Control Systems Security Program, National Cyber Security Division, Department of Homeland Security.
D’Arcy J., Hovav A., Galletta D. F. (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20(1): 79–98
Da Veiga A., Eloff J. H. P. (2010) A framework and assessment instrument for information security culture. Computers and Security 29(2): 196–207
Dasgupta, D. (2004). Immuno-inspired autonomic system for cyber defense. Computer science technical report. University of Memphis.
Debar, H., Morin, B., Boissee, V., & Guerin, D. (2005). An infrastructure for distributed event acquisition. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 Conference Best Paper, Malta: Saint Julians, April.
Debar, H., & Tombini, E. (2005). Accurate detection of HTTP attack traces in web server logs. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 conference Best Paper, Malta: Saint Julians, April.
Dourish, P., & Redmiles, D. (2002). An approach to usable security based on event monitoring and visualization. In Paper presented at the 2002 workshop on new security paradigms, Virginia Beach, September.
Doyle, J., Kohane, I., Long, W., Shrobe, H., & Szolovits, P. (2001). Agile monitoring for cyber defense. In Paper presented at the 2001 DARPA Information Survivability Conference & Exposition II (DISCEX ’01), June.
Dunn, T. S. (1982). Methodology for the optimization of resources in the detection of computer fraud. University of Arizona.
Edwards, S., & Willimas, M. C. (2001). The need for in-depth cyber defence progrmmes in business information warfare environments. In Paper presented at the 2nd Australian information warfare and security Conference 2001.
Eilertson, E. E., Ertoz, L., Kumar, V. (2004). MINDS: A new approach to the information security process. In Paper presented at the 24th army science conference, December.
Evans S., Kyle D. H., Piorkowski J., Wallner J. (2004) Risk-based systems security engineering: Stopping attacks with intention. IEEE Security Privacy 2(6): 59–62
Forcht K. A. (1994) Computer security management. Boyd and Fraser, Danvers
Fowler C., Nesbit R. (1995) Tactical deception in air-land warfare. Journal of Electronic Defense 18(6): 37–79
Gandotra, V., Singhal, A., & Bedi, P. (2009). Threat mitigation, monitoring and management plan—a new approach in risk management. In Paper presented at the 2009 international conference on advances in recent technologies in communication and computing.
George, J. F., Biros, D. P., & Adkins, M. (2004). Testing various modes of computer-based training for deception detection. In Paper presented at the ISI 2004, LNCS 3073.
Graham, D. (2003). It’s all about authentication. SANS Institute.
Grance, T., Kent, K., & Kim, B. (2004). Computer security incident handling guide (trans: computer security division ITL). NIST Special Publication. Gaithersburg: National Institute of Standards and Technology.
Hamill J. T., Deckro R. F., Kloeber J. M. Jr. (2005) Evaluating information assurance strategies. Decision Support Systems 39: 463–484
Henauer, M. (2003). Early warning and information sharing. In Paper presented at the workshop on cyber security & contingency planning: threats and infrastructure protection, Zurich, September.
Hitchins, D. K. (1995). Secure systems-defence in depth. In Paper presented at the European Convention on Security and Detection, 16–18 May.
Honeynet-Project. (2001). Know your enemy II: Tracking the Blackhat’s Moves. The Honeynet Project.
Howard M. (1979) The forgotten dimensions of strategy. Foreign Affairs 57(5): 975–986
Hu Q., Xu Z., Dinev T., Ling H. (2011) Does deterrence work in reducing information securiuty policy abuse by employees. Communications of the ACM 54(6): 54–60
Humphries, J. W., Carver, C. A., Jr., & Pooch, U. W. (2000). Secure mobile agents for network vulnerability scanning. In Paper presented at the 2000 IEEE workshop on information assurance and security, United States Military Academy, 6–7 June.
Hunter P. (2003) Defence in depth—protecting the queen. Network Security 6: 17–18
Huth P. K. (1999) Deterrence and international conflict: Empirical findings and theoretical debate. Annual Review of Political Science 2: 25–48
Jaatun, M. G., Nyre, A. A., & Sørensen, J. T. (2007). Survival by deception. In Paper presented at the SAFECOMP 2007, LNCS 4680.
JCS. (1996). Joint publication 3-58: Joint doctrine for military deception.
JCS. (1998). Joint publication 3-13: Joint doctrine for information operations.
Jones, B. (2005). Overview of DoD defense in depth strategy. Global information assurance certification paper, 4 January edn. SANS Institute.
Kankanhalli A., Teo H.-H., Tan B. C. Y., Wei K.-K. (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23: 139–154
Kewley, D. L., & Lowry, J. (2001). Observations on the effects of defense in depth on adversary behavior in cyber warfare. In Paper presented at the 2001 workshop on information assurance and security, U.S. Military Academy, 5–6 June.
Kitzinger J. (1995) Qualitative research: Introducing focus groups. British Medical Journal 311: 299–302
Klete, H. (Ed.). (1975). Some minimum requirements for legal sanctioning systems with special emphasis on detection. deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington: National Academy of Sciences.
Krippendorff, K. (1980). Content analysis: An introduction to its methodology. Newbury Park, CA: Sage.
Lakhani, A. D. (2003). Deception techniques using honeypots. MSc, University of London, UK.
Lampson B. W. (2004) Computer security in the real world. Computer 37(6): 37–46
Lester, A. J., & Smith, C. L. (2002). An investigation into the application of defence in depth theory to electronic information protection. In Paper presented at the 3rd Australian information warfare and security conference 2002.
Lim, J. S., Chang, S., Ahmad, A., & Maynard, S. B. (2012). Towards a cultural framework for information security practices. In M. Gupta, J. Walp & R. Sharman (Eds.), Strategic and practical approaches for information security governance: Technologies and applied solutions IGI global
Lippmann, R., Webster, S., & Stetson, D. (2002). The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Paper presented at the 5th international symposium on recent advances in intrusion detection (RAID), October.
Liu P., Zang W., Yu M. (2005) Incentive-based modeling and inference of attacker intent, objectives, and strategies. ACM Transactions on Information and System Security 8(1): 78–118
Liu S., Sullivan J., Ormaner J. (2001) A practical approach to enterprise IT security. IEEE IT Professional 3(5): 35–42
McDermott, J. P. (2000). Attack net penetration testing. In Paper presented at the 2000 workshop on new security paradigms, Ballycotton.
McGuiness, T. (2001). Defense in depth. SANS Institute InfoSec Reading Room, SANS Institute.
McHugh J., Christie A., Allen J. (2000) Defending yourself: The role of intrusion detection systems. IEEE Software 17(5): 42–51
Michael, J. B. (2002). On the response policy of software decoys: conducting software-based deception in the cyber battlespace. In Paper presented at the 26th annual international computer software and applications conference (COMPSAC’02), August.
Michael, J. B., & Wingfield, T. C. (2003). Lawful cyber decoy policy. In Paper presented at the IFIP 18th international information security conference, May.
Miles, M. B., & Huberman, A. M. (1994). Quantitative data analysis. Thousand Oaks, CA: Sage Publications.
Ning, P., & Xu, D. (2003). Learning attack strategies from intrusion alerts. In Paper presented at the ACM CCS’3, Washington, October.
Ohno, K., Kike, H. K., & Koizumi, K. (2005). IPMatrix: An effective visualization framework for cyber threat monitoring. In Paper presented at the ninth international conference on information visualisation (IV’5), London.
Park, S., Ruighaver, A. B., Maynard, S. B., & Ahmad, A. (2011). Towards understanding deterrence: Information security managers’ perspective. In Paper presented at the international conference on IT convergence and security 2011, Suwon.
Park, S., & Ruighaver, T. (2008). Strategic approach to information security in organizations. In Paper presented at the 2008 IEEE international conference on informarion science and security (ICISS 2008), Seoul.
Parker D. B. (1981) Computer security management. Reston Publishing, Reston
Parker D. B. (1983) Fighting computer crime. Scribner, New York
Peterson, G. (2007). Security architecture blueprint. Arctec Group, LLC
Price, S. M. (2010). A defense-in-depth security architecture strategy inspired by antiquity. ISSA Journal, 8(3), 10–16
Ray H. T., Vemuri R., Kantubhukta H. R. (2005) Toward an automated attack model for red teams. IEEE Security Privacy 3(4): 18–25
Rice, M., Guernsey, D., & Shenoi, S. (2011). Using deception to shield cyberspace sensors. In Paper presented at the critical infrastructure protection V, IFIP AICT, 3–18
Richards K., Davis B. (2010) Computer security incidents agaist Australian businesses: Predictors of victimisation. Trends Issues in Crime and Criminal Justice 399: 1–6
Richardson, R. (2011). 2010/2011 CSI computer security crime security survey. Computer Security Institute.
Roman R., Lopez J., Gritzalis S. (2008) Situation awareness mechanisms for wireless sensor networks. IEEE Communications Magazine 46(4): 102–107
Rosenquist, M. (2008). Defense in depth strategy optimizes security. Intel Corporation.
Rowe, N. C. (2003). Counterplaning deceptions to foil cyber-attack plans. In Paper presented at the 2003 IEEE workshop on information assurance, June.
Rows, N. C. (2006). Measuring the effectiveness of honeypot counter-counterdeception. In Paper presented at the system sciences, 2006. Proceedings of the 39th annual Hawaii international conference on HICSS ’06, 04–07 January 2006.
Rowe N. C., Custy E. J., Duong B. T. (2007) Defending cyberspace with fake honeypots. Journal of Computers 2(2): 22–36
Rubel, P., Ihde, M., Harp, S., & Payne, C. (2005). Generating policies for defense in depth. In: Paper presented at the 21st annual computer security applications conference, December.
Ruiu D. (2006) Learning from information security history. IEEE Security Privacy 4(1): 77–79
Runnels, M. G. (2002). Implementing defense in depth at the University level. SANS Institute InfoSec Reading Room, SANS Institute.
Rytz, R., Romer, J., & Henauer, M. (2003). MELANI- an analysis centre for the protection of critical infrastructure in the information age. In Paper presented at the workshop on cyber security & contingency planning: threats and infrastructure protection, Zurich, September.
Saydjari O. S. (2004) Cyber defense: Art to science. Communications of the ACM 47(3): 53–57
Schneier B. (2006) Beyond fear. Springer, New York
Schudel, G., & Wood, B. (2001) Adversary work factor as a metric for information assurance. In Paper presented at the 2001 workshop on new security paradigms, Feberuary.
Sharlun, G. (2002). Defense in depth: The lessons from Troy and the Maginot line applied. Global information assurance certification paper. SANS Institute.
Shimeall, T., Williams, P., & Dunlevy, C. (2001). Countering cyber war. NATO Review, 49, 16–18
Shirey, R. (2007). Internet security glossary, version 2, request for comments: 4949. Network Working Group, IETF.
Siponen M., Vance A. (2010) Neutralization: New insights into the problem of employee information systems security policy vilations. MIS Quarterly 34(3): 487–502
Smith, C. L. (2002). A method for understanding students’ perceptions of concepts in the defence in depth strategy. In Paper presented at the 3rd Australian information warfare and security conference 2002, Perth.
Snyder, J. (2006). Six strategies for defense-in-depth: Securing the network from the inside out. Joel Snyder’s Blog, Vol. 2011.
Stolfo S. J. (2004) Worm and attack early warning: Piercing stealthy reconnaissance. IEEE Security Privacy 2(3): 73–75
Straub D. W. (1990) Effective is security: An empirical study. Information Systems Research 1(3): 255–276
Straub D. W., Nance W. D. (1990) Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly 14(1): 45–62
Straub D. W., Welke R. J. (1998) Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22(4): 441–469
Stytz M. R. (2004) Considering defense in depth for software applications. IEEE Security Privacy 2(1): 72–75
Tapiador J. E., Clark J. A. (2011) Masquerade mimicry attack detection: A randomised approach. Computers and Security 30(5): 297–310
Tinnel, L. S., Saydjari, O. S., & Farrell, D. (2002). Cyberwar strategy and tactics. In Paper presented at the 2002 IEEE workshop on information assurance, United States Military Academy, June.
Tirenin, W., & Faatz, D. (1999). A concept for strategic cyber defense. In Paper presented at the military communications conference (MILCOM) ’99.
van Kessel, P. (2011). Into the cloud, out of the fog: Ernst & Young’s 2011 Global Information Security Survey.
Virta, V. (2005). The red team toolbox, a method for penetration tests. In Paper presented at the European Institute for Computer Antivirus Research (EICAR) 2005 conference Best Paper, Malta: Saint Julians, April.
Waterman, S. (2009). U.S. takes aim at cyberwarfare. The Washington, Times, July 2.
Welch, D. J., Buchheit, N., & Ruocco, A. (1999). Strike back: Offensive actions in information warfare. In Paper presented at the 1999 Workshop on New Security Paradigms, Caledon Hills, September.
Williamson M. M. (2004) Resilient infrastructure for network security. Complexity 9(2): 34–40
Wood, B. J., & Duggan, R. A. (2000). Red teaming of advanced information assurance concepts. In Paper presented at the DARPA information survivability conference and exposition, 2000. DISCEX ’00 Hilton Head, 25–27 January.
Zalenski R. (2002) Firewall technologies. IEEE Potentials 21((1): 24–29
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ahmad, A., Maynard, S.B. & Park, S. Information security strategies: towards an organizational multi-strategy perspective. J Intell Manuf 25, 357–370 (2014). https://doi.org/10.1007/s10845-012-0683-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10845-012-0683-0