The way ahead

This report draws the big picture of information security and computer crime in Norwegian enterprises. Previous research and surveys on computer security have focused on security technologies. We know more about the use of security technologies and the effectiveness of security technologies than organizational security measures. The 2006 survey examines for the first time organizational security measures and awareness raising initiatives in the population of Norwegian enterprises. The results indicate that many organizational measures, in particular those aiming to change human minds, are to a low degree implemented in the organizations. Studying the taxonomies, it seems that the organizational measures are also important in a defense-in-depth strategy, in which Norwegian enterprises perform less well. Further studies on organizational security measures and their effectiveness will be an important area for future research. The following research questions are relevant and will be addressed in subsequent studies:

– Which organizational security measures do enterprises use?

– How do information security managers regard the effectiveness of organizational security measures?

More specific:

– How do security policy and guidelines change behavior and raise security awareness in organizations?

– What is the effect of educating employees; is it worth the effort?

64 FFI-rapport 2007/02558

References

[1] Johansson, E, Johnsson, P., Assessment of Enterprise Information Security – the

Importance of Prioritazion, Proceedings of the 2005 Ninth International EDOC Enterprise Computing Conference (EDOC’05), 2005.

[2] Federal Bureau of Investigation, 2005 FBI Computer Crime Survey, January 2006.

[3] Næringslivets sikkerhetsråd (NSR), Senter for informasjonssikring (SIS) and ØKOKRIM., Mørketallsundersøkelsen 2003 – om datakriminalitet og IT-sikkerhet, (In Norwegian), English title: Norwegian Computer Crime and Security Survey 2003, 2004.

[4] Cashell, B, Jackson W.D., Jickling, M., and Webel, B., The Economic Impact of Cyber Attacks, Congressional Research Service Report, 4/1/2004, p 1-45.

[5] Kovachich, G., Information Systems Security Metrics Managements, Computers and Security, 16 (1997), pp 610-618.

[6] Kovacich, G. L., Halibozek, Edward P., Security Metrics Management. How to Manage the Cost of an Asset Protection Program, Elsevier Inc, New York, 2006, pp 1-319

[7] Martinson, M. G., Outsourcing Information Systems: A Strategic Partnership with Risks, Long Range Planning, Vol. 26, No 3, 1993, pp 18-25.

[8] Kotulic, A. G, and Clark, J. G., Why there aren’t more information security research studies”, Information & Management, Volume 41, issue 5, May 2004, pages 597-607.

[9] Gordon, L A., Loeb, M P., Lucyshyn, W and Richardson, R., 2006 CSI/FBI Computer Crime and Security Survey, July 2006.

[10] Price Waterhouse Coopers, DTI Information Security Breaches Survey. Technical report, April 2006.

[11] AUSCERT, “2006 Computer Crime & Security Survey”.

[12] Post & Telestyrelsen, Mörkertalsundersøkningen 2005, Svenska organisationer om IT-säkerhetsincidenter, (In Swedish). 5. July, 2005.

[13] Næringslivets sikkerhetsråd, Mørketallsundersøkelsen om datakriminalitet 2006, (In Norwegian), September 2006, pp 1-16.

[14] GAO, United States General Accounting Office, Washington DC 20548. Information Security: Technologies to Secure Federal Systems. GAO-04-467 Information Security, 85 pp.

[15] Dibbern, J., Goles, T., Hirscheim, R. and Jayatilaka, B., Information Systems Outsourcing:

A Survey and Analysis of the Literature, The DATA BASE for Advances in Information Systems – Fall 2004, Vol 35, No.4, pp 7-102.

FFI-rapport 2007/02558 65

[16] Fenn, C., Shooter, R., and Allan, K., IT Security Outsourcing, How safe is your IT Security, Computer Law & Security Report, Volume 18, Issue 2, 31 March 2002, pp 109-111.

[17] Sherwood J., Managing Security for Outsourcing Contracts, Computers & Security, (16) 1997, pp 603-609.

[18] Ministry of Defence, Ministry of Trade and Commerce and Ministry of Justice and the Police, National Strategy for Information security: Challenges, Priorities and Measures, June, 2003.

[19] Næringslivets sikkerhetsorganisasjon (NSO) og ØKOKRIM. (In Norwegian),

Mørketallsundersøkelsen 2001, English title: Norwegian Computer Crime and Security Survey 2001, 2001.

[20] Ronda R H., Security service level agreements: quantifiable security for the enterprise?, New Security Paradigms Workshop Archive. Proceedings of the 1999 Workshop on New Security Paradigms Table of Contents. Caledon Hills, Ontario, Canada, Pages: 54 - 60.

[21] Boni C. W., Kovachich G. L., I-Way robbery. Crime on the Internet, Butterworth Heinemann, Boston, 1999, pp 1-231.

[22] Wessels, M., Computer, self and society, Prentice Hall, New Jersey, 1990, 1-274.

[23] The Minstry of Justice and the Police, NOU 2007:7 Lovtiltak mot datakriminalitet.

Delutredning II. Utredning fra Datakrimutvalget oppnevnt ved kongelig resolusjon 11.januar 2002. Avgitt til Justis- og politidepartementet 12.februar 2007”.

[24] Schneier, B., Secrets and lies. Digital Security in a Networked World. With new

information about post 9/11 security, Wiley Publishing, Inc, 2004, Second edition, pp 1-414.

[25] Stoll, C., The cocko’s egg. Tracking a Spy Through the Maze of Computer Espionage, Pocket books, New York, 1990, 402 pages.

[26] Swanson, M, Barthol, N, Sabato, J, Hash, J and Graffo, L., Computer Security. Security Metrics Guide for Information Technology Systems, NIST Special publication 800-55, July 2003, pp 1-99.

[27] Vaughn, R.B., Henning, R., Siraj, A., Information Assurance Measures and Metrics – State of Practice and Proposed Taxonomy, Proceedings of the 36^th Hawai International

Conference on Systems Sciences, 2002, IEEE.

[28] Ward, P. and Smith C., The Development of Access Control Policies for Information Technology Systems, Computer & Security, Volume 21, Issue 4, 1 August 2002, 365-371.

[29] Andersson, L. S., Datakriminalitet i Norge. De mørke tallene. Master Thesis. Gjøvik University College, 2007.

[30] Pemble, M., Transferring businesses and support functions: the information security risks of outsourcing and offshoring (A beginner’s guide to avoid the aborgation of

responsibility), Computer Fraud & Security, Volume 2004, Issue 12, December 2004, pp 5-9.

66 FFI-rapport 2007/02558

[31] Statistics Norway (SSB)., Nøkkeltall om informasjonssamfunnet 2006, pp 70-91.

http://www.ssb.no/emner/10/03/sa_ikt/sa89/sa89.pdf Downloaded 2007.10.01

[32] Vivien K. G. L., Thompson S. H., Theo, G. L. L., Cyberloafing in an Asian Context. How do I loaf here? Let me count the ways, Communications of the ACM, January 2002, Volume 45, No 1.

[33] Keeney, M, J.D, Kowalski, E, Cappelli, D, Moore, A, Shimeall, T, Rogers, S., Insider Threat Survey. Computer System Sabotage in Critical Infrastructure Sectors, Carnegie Mellon Software Engineering Institute, U.S Secret Service and Cert Coordination Center, May 2005, pp1-45.

[34] Zhang, D., Oh, L-B, Theo, H-H, An Experimental Study of the Factors Influencing Non-Work Related Use of IT Resources at Non-Work Place, Proceedings of the 39th Hawaii International Conference on System Science, 2006.

[35] Malcon, A., Social Engineering. A means to violate a computer system (updated June 2006), Sans Institute 2007, 12 pp.

[36] Doherty, N.F. and Fulford, H., Aligning the information security policy with the strategic information systems plan, Computers & Security, Vol 25 No 1, 2006 pp. 55-63.

[37] Symantic, Symantic Internet Security Threat Report. Trends for January-June 07, Vol Xii, Published September 2007.

[38] Simonds, R.H. & Shafai-Sahrai, Y.: Factors Apparantly Affecting Injury Frequency in Eleven Matched Pair of Companies, Journal of Safety Research, 1977, 9, 120-127.

FFI-rapport 2007/02558 67