Module 5 – Model, Framework, and

Approach
Kang Meng Chow, September 2023

Table of Contents

1 INTRODUCTION ............................................................................................................................................. 4

1.1 LEARNING OUTCOMES..................................................................................................................................... 7

2 TERMS AND DEFINITIONS ......................................................................................................................... 8

3 MILITARY/GOVERNMENT APPROACH TO INFORMATION SECURITY....................................... 10

3.1 CONCEPTS/PRINCIPLES ................................................................................................................................ 10

3.2 DRIVER/MOTIVATION ................................................................................................................................. 11
3.3 FOCUS OF RESOURCES ................................................................................................................................... 11
3.4 PERFORMANCE.............................................................................................................................................. 11
3.5 OUTCOMES .................................................................................................................................................... 11

4 COMMERCIAL APPROACH TO INFORMATION SECURITY .............................................................. 13

4.1 CONCEPTS/PRINCIPLES ................................................................................................................................ 13

4.2 DRIVER/MOTIVATION ................................................................................................................................. 14
4.3 FOCUS OF RESOURCES ................................................................................................................................... 15
4.4 PERFORMANCE.............................................................................................................................................. 15
4.5 OUTCOMES .................................................................................................................................................... 15

5 RISK-BASED APPROACH ........................................................................................................................... 17

5.1 CONCEPTS/PRINCIPLES ................................................................................................................................ 17

5.2 DRIVER/MOTIVATION ................................................................................................................................. 17
5.3 FOCUS OF RESOURCES ................................................................................................................................... 17
5.4 PERFORMANCE.............................................................................................................................................. 19
5.5 OUTCOMES .................................................................................................................................................... 19

6 ISO/IEC 27001 - ISMS ................................................................................................................................ 21

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 1

6.1 CONCEPTS/PRINCIPLES ............................................................................................................................... 22
6.2 DRIVERS/MOTIVATIONS.............................................................................................................................. 22
6.3 FOCUS OF RESOURCES .................................................................................................................................. 22
6.4 PERFORMANCE.............................................................................................................................................. 22
6.5 OUTCOME ...................................................................................................................................................... 23

7 RESPONSIVE SECURITY............................................................................................................................. 24

7.1 CONCEPTS/PRINCIPLES ............................................................................................................................... 25

7.2 DRIVERS/MOTIVATIONS.............................................................................................................................. 26
7.3 FOCUS OF RESOURCES .................................................................................................................................. 27
7.4 PERFORMANCE.............................................................................................................................................. 27
7.5 OUTCOMES .................................................................................................................................................... 27
7.6 REMARKS ...................................................................................................................................................... 28

8 BALANCED SECURITY SCORECARD ....................................................................................................... 29

8.1 CONCEPTS/PRINCIPLES ............................................................................................................................... 29

8.2 DRIVERS/MOTIVATIONS.............................................................................................................................. 32
8.3 FOCUS OF RESOURCES .................................................................................................................................. 32
8.4 PERFORMANCE.............................................................................................................................................. 32
8.5 OUTCOMES .................................................................................................................................................... 32
8.6 REMARKS ...................................................................................................................................................... 33

9 SECURITY MATURITY MODELS .............................................................................................................. 34

9.1 CONCEPTS/PRINCIPLES ............................................................................................................................... 34

9.1.1 TRADITIONAL CMMI ................................................................................................................................................... 35
9.1.2 SSE-CMM – ISO/IEC 21827:2008 ...................................................................................................................... 35
9.1.3 OPEN GROUP’S OPEN INFORMATION SECURITY MANAGEMENT MATURITY MODEL (O-ISM3).................. 36
9.1.4 INFORMATION SECURITY PROGRAM CMM ............................................................................................................. 38
9.1.5 OTHER EXAMPLE OF SECURITY MATURITY MODELS ............................................................................................ 39
9.2 DRIVERS/MOTIVATIONS.............................................................................................................................. 39
9.3 FOCUS OF RESOURCES .................................................................................................................................. 39
9.4 PERFORMANCE.............................................................................................................................................. 39
9.5 OUTCOMES .................................................................................................................................................... 40

10 NEW SCHOOL OF INFORMATION SECURITY .................................................................................... 41

10.1 CONCEPTS/PRINCIPLES ............................................................................................................................. 41

10.2 DRIVERS/MOTIVATIONS ........................................................................................................................... 43
10.3 FOCUS OF RESOURCES ................................................................................................................................ 44
10.4 PERFORMANCE ........................................................................................................................................... 44
10.5 OUTCOMES .................................................................................................................................................. 44

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 2

10.6 REMARKS .................................................................................................................................................... 44

11 OTHER MODELS/APPROACHES ........................................................................................................... 45

11.1 TIME-BASED SECURITY .............................................................................................................................. 45

11.1.1 CONCEPTS/PRINCIPLES ............................................................................................................................................ 45
11.1.2 DRIVERS/MOTIVATIONS .......................................................................................................................................... 46
11.1.3 FOCUS OF RESOURCES ............................................................................................................................................... 46
11.1.4 PERFORMANCE ........................................................................................................................................................... 46
11.1.5 OUTCOMES .................................................................................................................................................................. 46
11.2 THE OCTAVE APPROACH ......................................................................................................................... 46
11.3 IT INFRASTRUCTURE LIBRARY (ITIL) ..................................................................................................... 47
11.4 DILIGENCE-BASED SECURITY ..................................................................................................................... 47
11.5 ZERO TRUST SECURITY .............................................................................................................................. 48

12 SUMMARY.................................................................................................................................................... 50

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 3

1 Introduction
On Aug 24, 2016, Bangkok Post reported that “about 10,000 ATMs1 are prone to hacking after a
group made off with 12 million baht from a state bank ATM machine” [1]. The attack was reported
to have made use of a malware exploiting security weaknesses on the ATM operating systems. The
ATM machines concerned were all running Windows XP (embedded edition) operation systems
that Microsoft had already terminated support since its end of life status on April 8, 2014 [2].

This is not the first time, and not the last time that a bank’s ATM have been compromised and
resulted in significant financial losses. In Sep 2014, seven Malaysian banks’ ATM systems (which
have smartcard enabled) were compromised by a malware resulting in losses around 3 million
Malaysian ringgits [3]. In May 2016, Japan ATM machines were hit by a card scam resulting in
losses of about 1.7 billion yen (US$13 million). And, in July 2016, 900 ATM machines in the Taiwan
peninsula were reported to be compromised by a malware resulting in NT$70 million (S$2.94
million) losses. The list goes on.
Besides banks, many other data breaches incidents involving IT systems and related services have
taken place over the years. As further examples:

• 2013
o Targets - 40 million credit/ debit cards; 70 million customer data; More than US$1
billion losses; CIO (Beth Jacob) and CEO (Gregg Steinhafel) resigned.
o Evernotes - 50 million users’ encrypted password breached.
• 2014
o Sony - 100 TB data leaked; incurring $15 million to deal with ongoing damages; Co-
chairperson, Amy Pascal, stepped down.
o Home Depot - 56 million customer credit and debit card accounts, and 53 million
customer email addresses leaked; At least US$ 62m to cover remediation and legal
expenses.
• 2015
o Ashley Maddison – Approximately 37 million peoples’ personal data compromised.
Analysis of exposed database showed ~90-95% of the records are fakes. 173,838
male accounts who paid to have their records deleted were found with a flag
<paid_delete> instead. Entire site and business seemed a fraud.
o LastPass (a security service provider) - Users’ account email addresses, password
reminders, server per user salts, and authentication hashes were compromised.
• 2016
o Swift - Cyber thieves stole $81 million in February from a Bangladesh central bank
account at the Federal Reserve Bank of New York. 12 banks may have fallen victim.
o LinkedIn - 117 million email and password stolen by hackers four years ago popped
up online. At the time the breach occurred, members who had been affected were
told to reset their passwords. That information then became publicly available in
May 2016.
• 2017
o In September 2017, Equifax announced a cyber-security breach, which it claims to
have occurred between mid-May and July 2017, where cybercriminals accessed

1 Automated Teller Machines

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 4

 approximately 145.5 million U.S. Equifax consumers' personal data, including their
full names, Social Security numbers, birth dates, addresses, and driver license
numbers. Equifax also confirmed at least 209,000 consumers' credit card
credentials were taken in the attack [4]. On March 1, 2018, Equifax announced that
2.4 million additional U.S. customers were affected by the breach. The company
claims to have discovered evidence of the cybercrime event on July 29, 2017.
Residents in the United Kingdom and Canada were also impacted [5].
• 2018
o On July 20, 2018, SingHealth reported that about 1.5 million patients, including
Prime Minister Lee Hsien Loong and a few ministers, have had their personal data
stolen. Some 160,000 people also had their outpatient prescriptions stolen. The 1.5
million patients had visited SingHealth's specialist outpatient clinics and polyclinics
from May 1, 2015, to July 4, 2018. Their non-medical personal data that was illegally
accessed and copied included their names, IC numbers, addresses, gender, race and
dates of birth [6].
• 2019
o On January 28, 2019, shortly after the publication of the SingHealth COI report, MOH
held another press briefing announcing that “The HIV-positive status of 14,200
people—along with confidential information such as their identification numbers
and contact details—has been leaked online by an ‘unauthorized person’.” The
records include personal information of 5,400 Singaporean, and 8,800 foreigners.
o On February 16, 2019, MOH notified that due to an error in the computer system
administered by the National Computer Systems (NCS), a SingTel subsidiary
company, 7,700 individuals received inaccurate healthcare and intermediate- and
long-term care subsidies. The affected individuals were among those whose
applications or renewals of their Community Health Assist Scheme (CHAS) cards
were processed from September 18 to October 10, 2018.
o On March 15, 2019, the Health Science Authority (HSA) reported that the personal
information of 808,201 blood donors in Singapore was left exposed on the Internet
for a period of nine weeks from Jan 4, after the data was mishandled by a vendor. An
external cybersecurity professional discovered the exposure and alerted the
authorities.
o The continuous spade of data breaches led the Singapore Prime Minister to convene
a committee to conduct an eight-month review of data security practices across the
entire public service starting March 31, 2019. The review results in a report
recommending five key improvements and 13 data security measures for
implementation in the public sector.
o Since then, a series of cyber-attacks and data breaches continued, although not all in
the public sector, but several affected organizations were government-owned or
related companies, including ST Engineering (June 6, 2020), SingTel (February 11,
2021, 129,000 customer data), Singapore Airlines (March 5, 2021, 580,000
customers data), NTUC’s e2i services (April 6, 2021, 30,000 customer data), Certis
Cisco (April 10, 2021, 62,000 emails), the auxiliary police, and Eyes and Retina
Surgeons, a private practice (73,466 patients records including patients’ names,
addresses, identity card numbers, contact details and clinical information
information.)[7]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 5

 • 2020-2021
o In July 2020, Canada, UK, and US announced that hackers attributed to Russian
intelligence had attempted to steal information related to COVID-19 vaccine
development.
o Between December 2020 and August 2021, two major cybersecurity services
software companies, SolarWinds[8] and Kaseya[9], were compromised by suspected
Russian cyber criminals resulting in unauthorized intrusion and access to over two
thousand related customers’ networks and databases. The incidents were amongst a
series of extortion attacks amounting to more than US$120m ransoms on a broad
range of industries, including the Brazil-based JBS[10]—the world’s largest meat
processing company, the Colonial Pipelines[11]—the largest fuel pipeline in the US,
and more than 200 US government agencies.

Many of these organizations that have been compromised are not without an information security
or risk management function of some kind. Depending on sectors, various regulators and/or
government institutions have also issued policies and rules requiring them to manage their
information security risks.
There is no shortage of security principles, approaches, frameworks, and standards that can be
adopted. For example, the ISO/IEC 27001[12] and related family of standards for information
security risk management, which many organizations have adopted and gained formal certification
of compliance.
As observed from these incidents, information security management is not a straightforward or
simple discipline. It is not just a matter of compliance with regulatory policies or implementing
security controls based on available standards and best practices. In addition, people establish
businesses and government organizations to accomplish specific missions and objectives, which
except for a few specialized cases, not for security but their business or organizational outcomes.
They do not have unlimited resources, but are often driven by specific timeline, and frequently need
to adjust and react to changing business circumstances. Security is a cost to their business
operations. How should an organization prioritize and allocate resources for its security initiatives?
What should information security practitioners do to get the best outcome from the limited resources
they can justify for? What tools, processes, people, and which standard and best practices should
information security practitioners use? How should practitioners measure the outcomes of their
activities, i.e., their performance? Answers to these questions are influenced by the strategy,
approach, framework, and model adopted or designed, and implemented to address the
information security problems in their respective organization.
In military warfare, we have from the east General Sun Tzu’s “Art of War”[13] from the 5th century
BC, and from the west, Machiavelli’s “The Prince”[14], a 16th century political treatise, and many
other classics, that military, political, and business strategists continue to reference and use in
formulating strategies to address today’s challenges.

In information security, there are similarly various strategies, frameworks, approaches, and
models, that have been developed over the years, which could help practitioners design, plan, build,
deploy, and operate an Information Security Management Systems (ISMS) in organization.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 6

1.1 Learning outcomes
The learning outcomes desired for this module are the following:

• Understand and differentiate the models, frameworks, and approaches applicable to

information security management
• Discourse the pros and cons of each model, framework, and approach discussed in the
course
• Select and apply learning to given scenarios.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 7

2 Terms and definitions
As you get yourself involved in or start reading about information security management, you will
encounter terminologies such as security model, framework, approach, strategy, standards, policy,
guidelines, and many others. A common challenge is some of these terms do not have a standard or
formal definition. In some cases, they may have more than one definition, depending on the context
of use. To make sure we are on the same page, let us go through the definition of the terms that are
relevant to this module before diving into the specifics. Where necessary, I will provide an informal
working definition when no formal definition is available so that we have something in common
that we can fall back for our discussion. We may also iterate and refine those informal definitions as
we learn more about the term and its use in practice.

The following are terms (and their definition2) commonly found in information security literatures
and the practice environment:

• Model – a model is normally a system or thing (noun) that is used as an example to follow or
imitate. The objectives of a model include (1) to facilitate understanding by eliminating
unnecessary components, (2) to aid in decision making by simulating “what if” scenarios, or
(3) to explain, control, and predict events based on past observations.3 In information
security context, there are formal and informal security models that have been defined and
developed over the years. For examples, the Bell-LaPadula Security Model [15], which is a
confidentiality protection model that has been implemented in secure operating systems
such as Multics [16]; and the Clark and Wilson [17] integrity model proposes a policy of
well-formed transactions to ensure information integrity.
• Framework – a framework is a basic structure of something. It is a set of ideas or facts that
provide support for something. A framework is also known as a supporting structure, or a
structural frame. Throughout this module, we will use the following as a framework to
capture the essence of each approach or strategy discussed:
o Concepts and Principles – where the basic idea or philosophy about an approach, a
strategy, a framework, or a model is highlighted or discussed.
o Driver/motivation – what are the mechanics in this strategy, approach, framework,
or model that cause or influence the stakeholders to invest or spend on security?
o Focus of resources – what and where will resources (people, time, money) be
directed?
o Performance measurement – how do we know if we are successful, i.e., the desired
outcome has been achieved? What metrics are normally used?
o Outcome – what are the results, or consequences of the strategy, approach,
framework, or model being discussed?
The Framework for Information Risk Management (FIRM) in Kang [18] provides a structure
that depicts the key areas of information risk management that should be assessed or
determined to address organization’s information security needs.
Parker’s [19] “New Information Security Framework”, also known as Parkerian’s Hexad, is a
framework that provides definition and recommendations for achieving the six information
security properties, i.e., availability, utility, integrity, authenticity, confidentiality, and

2 Most of the terms do not have a standard definition or may have several definitions depending on the
context of use. Informal (working) definition is provided when no formal definition is available.
3 As defined in [Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 8

 possession. See also Section 11.4 on the Diligence-based Security approach resulting from
this New Framework definition.
• Approach – an approach is a way or method of dealing with something. We will discuss a
few approaches in information security management later in this module.
• Strategy – a strategy is a high-level plan to achieve one or more goals under conditions of
uncertainty. A strategy may at times be a term used to denote a plan of action or policy
designed to achieve a major or overall aim. Strategy sets an overall direction, provides
overall policy on matters of concerns, which enable decisions to be made on the ground
during execution.
• Performance – refers to a task or operation (or a project as a whole) seen in terms of how
successfully it is performed or accomplished, by an individual, a group, and/or a system.
• Measurement - a unit or system of measuring; the action of measuring something
• Metrics - a system or standard of measurement. Security metrics are measurements taken
to show the status of security (or insecurity) of the system being measured. We will discuss
performance measurement and security metrics in Module 6 – Security Operations.
• Policy – a security policy is a statement of the security we expect a system to enforce, or an
individual or group to comply. For example, a military security policy, which defines
information access based on the need-to-know rule: access to sensitive data is allowed only
to subjects who need to know that data to perform their jobs. For a more detailed discourse
on various definitions, and challenges relating to security policy, see Kang [18]
• Standards – standards identify requirements and specifications, that can be consistently
used to ensure that materials/products/processes/services are fit for their purpose.
• Guidelines – provides recommendations (which may include various options) to meet
policy and/or standards defined requirements.
• Best practices – or common practices to be more accurate, are security controls that are
commonly adopted or applied to solve specific security problem, or meet specific
requirements defined in the policy and/or standards.
• Plan – details the scope of work, and a series of tasks to be executed, resources (people,
timeline) and milestones, and the desired goals or objectives of each (or group of) tasks.
• Program – a program is defined as a set of related measures or activities with a particular
long-term aim. In the context of an organization, it normally refers to a formal initiative or
undertaking designed to achieve a specific goal, or a set of goals that are parts of a (or the
entire) strategy. A program consists of one or more projects, each with a detailed plan for
delivery/completion.
• Project – a project is defined as an individual or collaborative enterprise that is carefully
planned to achieve a particular aim.
Programs and projects are key components required to enable execution of a strategy. The Five-
Level Action Map (FLAM) shows an example of their intra-relationship [18], and their influence
and effect on/from the technical and process aspects, and events generated in a security
system.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 9

3 Military/government approach to information security
The focus of military security approach is to meet the military security policy requirements of
protecting classified information. Military organizations are amongst the first in history to practice
information security, beginning with the use of cryptography primarily for message confidentiality.
They have since evolved with the use of well-defined security principles and models implemented
in systems known as Trusted Computing Systems.

Government organizations create, process, and store classified information as well. As such, their
policy is similar, i.e., to protect classified information and hence adopt similar principles and
models as the military. However, government organizations also deal with the publics and handle
vast amount of non-classified information, in which their protection is based on the commercial
approach (to be discussed later in this module).

3.1 Concepts/principles
Information classification - In military/government systems, each piece of information is ranked
(i.e., classified) at a particular sensitivity level, such as unclassified, restricted, confidential, secret, or
top secret, in the order of sensitivity.
The need-to-know principle determines and controls the access to information, i.e., access to
sensitive data is allowed only to subjects (individuals or groups) who have a justified reason or
purpose to know the content of the data or information to perform their jobs.
Each piece of classified information may be related to one or more projects, called compartments,
describing the subject matter of the information. Information in a compartment may be limited to a
classification level, or two or more levels. Where more than one levels of classified information are
involved in a compartment, the compartment is designated the highest level of classification of the
information involved.
A person seeking access to classified information must be security cleared. A security clearance is
an indication that a person can be trusted to access information up to a certain level of
classification, and that the person needs to know certain categories of information. The clearance of
a subject is therefore a combination of <rank, compartment>.
Military security enforces both sensitivity requirements and need-to-know requirements.
Sensitivity requirements are known also as hierarchical requirements; need to know restrictions
are non-hierarchical.
The Bell-LaPadula [15] security model is the most widely known military security model, which
defines the mandatory security access (MAC) policy models that enforces the classification, and
need to know principles.
In addition to the need-to-know principle, the principle of least privilege also plays a critical role
in enforcing the military security policy in information systems. Least privilege is also known as
need-to-hold principle, which means that a user of an information system shall not be granted more
privileges than he/she requires to perform his/her job on the system. The application of this
principle prevents users from bypassing the need-to-know controls, whether intentionally or
otherwise, which could result in unauthorized access to classified information at a higher level, or
in a different compartment.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 10

For more information on the above concepts and principles, see Pfleeger [20]4.

3.2 Driver/Motivation
The primary driver or motivator for the military security approach is the notion that information
security is a national security matter. National security is paramount, therefore complete protection
(based on classification of information) is required.
This approach embeds the cost of security in the IT systems and infrastructure as their
implementation have to incorporate enforcement of the security models to achieve the
requirements of the military security policy.

3.3 Focus of resources

In environment that uses the military security approach, resources (people, time, funds,
technology) are focused on enforcing the need to know and least privilege principles.
Confidentiality protection is given highest priority since information classification is derived from
the level of sensitivity of the information assessed. This in turns drive the resources towards
ensuring proper and correct classification and re-classification (mustering) exercises, conducting
personnel security clearance, and systems security evaluation and certification.
Resources are also focused on building trusted computing systems that meet the classified
information policy requirements, including standards such as Common Criteria.

3.4 Performance
Performance of such an approach is measured by the completeness of coverage, and the
correctness and accuracy of implementation and use, in relation to the security policy of ensuring
classified information are protected against unauthorized access.
IT systems security is often based on the level of certification it can achieve under the Common
Criteria certification scheme (or previously Trusted Systems Evaluation Criteria, aka, Orange Book).

3.5 Outcomes
Extremely high cost to develop, implement, and operate systems that need to enforce the military
security policy.
In the industry, there’s also a lack of expertise, i.e., limited capacity to support the development,
operations, and upgrading of such systems.
Systems designed for such an approach normally tail behind commercial systems in terms of their
efficiency and utility. They are unable to use newer technology until a thorough security evaluation
has been completed to ascertain that the new technology does not introduce new weaknesses or
result in compromising the policy requirements.
The nature of compartmentalization and strict access policy enforcement renders such a system to
be much more tightly coupled and therefore inherently less interoperable with other systems.
Such an approach is nevertheless not perfect, as shown in recent data leakages incidents (e.g.,
Snowden, Manning, and WikiLeaks) in which massive volumes of classified information were
compromised. The people aspect remains the weakest link in all these cases, for examples:

4 Note that there are fourth or fifth editions of this book available from the library.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 11

inadequate enforcement of security clearance process; lack of oversights and auditing of authorized
personnel’s access.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 12

4 Commercial approach to information security
Also known as traditional approach, commercial approach is less rigid and less hierarchically
structured. Except for defense industry or companies involved in sensitive government projects,
commercial businesses normally do not handle classified information. The level of sensitivity is at a
commercial grade, which is not of national security concern. Commercial business information
consists of proprietary information and personal data (or personal identifiable information, PII).
Proprietary information includes intellectual property (such as trade secrets) and business
strategic information (including strategic financial information as well as sales strategy
information). Customer information may include proprietary information and personal data,
depending on the nature of business.

Unlike the military or government, commercial business does not have a system of security
clearance, though employees may undergo a background check and a series of interviews to ensure
a reasonably honest/clean background. The rules of allowing access are therefore based on the
decision of the business manager (or information owner). Information owner is also responsible
for business information classification – to differentiate sensitive and non-sensitive information
from a business perspective.
Commercial security policy focuses on protecting the confidentiality, integrity, and availability
(informally named as the C.I.A model) of the variety of information and related systems in
organization. Specific security policy may be defined for each category of commercial information.
While commercial organizations do not follow military security approach, commercial systems do
inherit some of the properties of the Trusted Computing systems standards. In particular, from the
Bell-LaPadula [15] security model perspective, commercial systems such as Unix/Linux and
Windows do implement the discretionary access control (DAC) model, in which access rules are
determined by information owners (i.e., whoever creates a file or folder in the file systems).

4.1 Concepts/principles
Theoretical security models such as the Clark and Wilson [17] integrity model and the Chinese Wall
security policy are applicable to the commercial businesses. Clark and Wilson propose the concept
of well-formed transactions in relation to business processes (transformation procedure), key actors
(roles), and related data items to ensure systems and information integrity.
Consider a company that orders and pays for materials. The process might take the following steps:
1. A purchasing clerk creates an order for a supply, sending copies of the order to both the
supplier and the receiving department.
2. The supplier ships the goods, which arrive at the receiving department. A receiving clerk
checks the delivery, ensures that the correct quantity of the right item has been received,
and signs a delivery form. The delivery form and the original order go to the accounting
department.
3. The supplier sends an invoice to the accounting department. An accounting clerk compares
the invoice with the original order (as to price and other terms) and the delivery form (as to
quantity and item) and issues a check to the supplier.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 13

The sequence of these activities is important. Performing the steps in order, performing exactly the
steps listed, and authenticating the individuals who perform the steps constitute a well-formed
transaction.
Another principle that is commonly practiced in commercial businesses is the principle of
separation of duty. As in the above example, several people might be authorized to issue orders,
receive goods, and write checks. However, the company would not want the same person issuing
the order, receiving the goods, and writing the check as this would increase the potential of abuse.
As such, the company might want a policy that specifies that three separate individuals must be
authorized for the three separate activities exclusively. Such an arrangement is known as
separation of duty. Another common approach is to ensure developers do not perform operation
work, and vice versa. However, this separation approach is facing challenges in today’s DevOps
development-operation combined approach in the cloud computing environment.

Brewer and Nash [21] define a security policy that reflects the separation of duty principle, which is
normally applied at a higher level of commercial corporation to prevent conflict of interest. The
access control rule is: a person can access any information as long as the person has never accessed
information from a different company in the same conflict class. The idea behind such a rule is that
the overlapping access will provide privileged knowledge to the person otherwise, which therefore
could unfairly influence the outcomes of related event thereafter. For example, in accounting firms
such as PriceWaterhouseCooper (PwC) and Ernst and Young (EY), individuals involved in auditing
the IT systems of a client must not be involved in providing consulting services to advise on the
security of the same system. The two departments must be separated, or “firewalled”. This is to
make sure that the individuals will not during their audit work create consulting opportunity or use
the findings of audit work to sell consulting services; or performing consulting work to leave gaps
in the system to ensure the audit work discover issues for the audit report. In practice, most
organizations will also have a policy of disallowing their auditing firm from provide consulting
services.

The principles of the weakest link and defense in depth are also commonly used in designing
security in commercial business applications and information systems. The weakest link principle
states that security is only as strong as the weakest link, borrowing the concept from a steel chain in
which the chain is broken once one of its link breaks. To address the weakest link concern,
commercial security approach uses the principle of defense in depth to build overlapping layers of
protection, normally maps to the Open Systems Interconnect (OSI) 7-layers definition. The
baseline security approach might also be introduced to “raise the bar” in security protection
across the enterprise. The purpose of the baseline security approach is to make sure that every
component of an IT system implements a minimum level of security that would protect it from
common or well-known threats/attacks. In this way, the potential for weak links will likely be
minimized. The baseline approach typically makes use of industry standards of best practices, such
as the ISO/IEC 27002 Code of Practice for Information Security Controls [22], and in some
organizations, further adopting recommendations such as SANS CIS Critical Controls [23], or
similar.

4.2 Driver/Motivation
The most common driver for information security in commercial businesses is legal/regulatory and
policy compliance, as there are reputational cost and customers’ trust implications relating to non-

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 14

compliance. For public listed companies, their stock price might also be impacted (negatively) as a
result.
Besides, companies are fearful of high-profile incidents of data breaches, intrusions, and other
compromises, especially in recent years where such attacks have become prevalent.

4.3 Focus of resources

While the commercial security approach is not meant for protecting classified information,
information classification remains an important task to determine what information are
important to the business, customers, and partners, and what are strategic versus operational
information. With adequate classification, resources can be focused on addressing the protection
needs of those more critical (higher sensitivity) information.

As commercial security approach is very much concerned with the weakest link problem, baseline
security plays an important role in strengthening the foundational infrastructure, which also serves
as part of the defense-in-depth strategy. Building higher baseline therefore continues to be the
quest of information security practitioners.
A major part of baseline requirements in organizations are based on industry best practices and
standards. Implement best practices is another area where resources will be channeled.
As observed, the resources in commercial security approach are mainly focusing on preventing
known issues from happening.

4.4 Performance
Driven by policies and standards, compliance is a major part of such an approach. It is only through
compliance measurement that management can find out if standards have been implemented, and
policies are being followed. Compliance audit may be performed by internal auditors or external
auditors as part of the compliance measurement process, issuing audit report with related audit
rating, such as unsatisfactory, rooms for improvement, or satisfactory to denote the state of
compliance.

Information security practitioners may complement such audits with periodic security reviews or
assessments to identify non-compliance issues for remediation in order to help businesses gain
better audit rating before a compliance audit.
Given management focus on compliance and audit ratings, business units may also appoint their
own compliance officer to conduct self-assessments on a regular basis to further ensure adequate
compliance in business operations.

4.5 Outcomes
The resource and performance focus address only what is known and discoverable through
security reviews, self-assessments, and audits, which are based largely on requirements formulated
in existing policies, laws, and regulations, standards, and best practices guidelines.5

5For details about baseline security and its challenges, see Kang [Link], M.-C., Responsive Security - Be ready
to be secure. 1st ed. 2013, [Link]
Secure/Kang/p/book/9781466584303: Routledge (CRC Press). 237.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 15

Organizations using such an approach are often surprised by and reactive to new risk issues and
attacks, since these are not something that can have security controls pre-determined in policies,
standards, and best practices guidelines. The only control requirement that can help to address new
attacks is the incident detection, response, and handling procedures, which many organizations
tend to under resource.
Compliance is not the same as security – incident emerges as changes occur in the environment or
systems – a false sense of security results when organization gains good compliance audit rating.

Cost (direct and indirect) of security becomes questionable when incidents continue to happen. The
information security officer is therefore placed in a paradoxical situation.
Justification for investing in security is often unconvincing when benefits cannot be clearly
articulated except for gaining compliance.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 16

5 Risk-based approach
5.1 Concepts/principles
Cost of security will continue to rise as the commercial security approach press for higher baseline
requirements in an attempt to address as many weak links (security issues) that can be found
(through audit, self-assessments, or security reviews).

Similarly, taking a defense-in-depth approach means adding more security controls at each layer of
the OSI stack. Again, this increases the cost of security further and at the same time adds complexity
to the IT environment. Changes in one IT system may affect multiple layers of the OSI stack, as well
as other connected IT systems. Relying on other layers of the OSI stack to address security concerns
indirectly increases dependencies of security in those layers to secure/protect resources at another
layer. Human interventions will be required to resolve issues, and as human gets involved, office
politics arise inadvertently. Such social aspects of security are often not considered in IT solutions,
though individuals and groups will take steps to avoid social conflicts, or leverage for personal
gains. Uncertainties and weak links are therefore inherent in complex systems.
Learning from the principle of no perfect security [18], information security managers must learn
from risk managers to accept trade-offs between risk and available resources and this is the basis of
risk management [24, 25]. In other words, information security manager needs to prioritize her
limited resources to focus on the most important security issues.6

5.2 Driver/Motivation
Besides realizing that the traditional/commercial security approach assimilates a perfect security
approach, which is not practical, there are other drivers that motivate the adoption of a risk-based
approach.
Businesses deal with risk issues every day.7 For example, whether to invest in buying certain
equipment or hiring certain people to produce goods weighing against the possibility that nobody
may buy the goods later is a risk management decision. Risk is therefore a language that business
managers understand. Balancing risk and opportunity mean where to spend or invest the limited
resources that a business have—to address a risk issue, which is to prevent a potential loss or
harm, or use the resources for something that may result in gaining more resources? Taking the
former approach is often driven by a sense of fear of a risk exposure materializing. Doubt and
uncertainty also play a role to influence decision though they are not exactly the same as risk [26,
27].

5.3 Focus of resources

Identification of security related risk issues is the major focus of information security practitioner
or risk manager in such an approach. Conducting interviews, reviewing documentations,
performing security test, such as vulnerability scan and/or penetration testing are all part of the
process of risk identification.

Many risk issues will likely be identified through the risk identification process. Before deciding
what to do with each of these risk items, risk manager will have to perform risk analysis to

6More discussion about risk, risk analysis, and risk assessments are covered in Module 5.
7For a discussion of the perception of risk and the strategic impact of existing IT on information security
strategy at board level, see (McFadzean, Ezingeard, & Birchall, 2007).

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 17

determine the likelihood of each risk item, and their ease of exploitation. Based on quantification,
qualification, or a combination of such methods of analysis, each risk will carry a rating. A risk
assessment is then performed whereby the risk rating is then assessed against the potential
impact to the organization (or IT systems concerned) should the risk materialized. Such assessment
may then result in plotting each risk item in a two-dimensional matrix as shown in Figure 1.

Figure 1: Example of a risk assessment matrix

Risk treatment decision on whether to accept, transfer, mitigate/reduce, or avoid each risk is then
made based on the outcome of the risk assessment. Accepting a risk means to live with it, either
without doing anything, or implementing compensating controls to minimize the potential impact.
Transferring a risk takes place through the use of buying insurance, or having a third party
addressing it. In both cases, business remains accountable should the risk materialize, though the
impact may be less significant or more recoverable. Mitigation or reduction involves identifying or
designing specific control measures to address the risk issue, to reduce its chance (probability) of
occurrence, if not eliminate it (e.g., by using a different technology or process that do not have the
same risk). Risk avoidance means not having anything to do with the risk by avoiding possible
contact, e.g., stop using the IT system involved, or stopping the project altogether.
The risk treatment decision will have to take into consideration the total cost of security controls
when deciding whether which treatment option has the highest cost-benefit ratio. The total cost of
security controls should include the following elements:

• Program/project management cost – such as cost of people, external services, and tools or
IT systems required for managing the implementation of the solution.
• Selection cost – such as validation of legal compliance of the security control options,
evaluation, testing (proof of concept and pilot tests) to ensure the most adequate solution is
selected.
• Acquisition cost – of materials, IT systems/components, including waiting time (i.e., time
loss due to non-utilization of resources).

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 18

 • Construction and installation cost – for overall design, development, implementation, and
in-progress and final testing of the solution before production.
• Cost of environmental changes – such as new facilities and supporting infrastructure and
systems.
• Nontrivial operating cost – including cost of energy/utility overheads, monitoring, and
response preparation/drills/exercises.
• Maintenance and testing cost – including ongoing preventive maintenance changes and
related activities, and vulnerability management.
• Cost relating to potential side effects – such as social behavioral changes, users’ acceptance,
which may entail additional education, training, or compensation.
The final step of risk response is to implement the risk treatment decision, monitor its performance
(effectiveness of the solution chosen), and audit to verify and validate its completion.

5.4 Performance
The effectiveness of the risk-based approach relates closely to the quality of risk issues identified.
Rigors in risk identification, analysis, and assessment are therefore critical. There is however also a
tendency to use the quantity (number of) risk issues identified as a gauge of whether an IT system
or business environment is weak or strong in security. In reality, one significant risk issue may be
more than sufficient to result in a major outage or breach that negatively impact the organization.
Whereas many insignificant risk issues may only result in distraction or slight inconveniences.
Cost-benefits computation is another factor that may be used to assess the effectiveness of a risk
management program. For example, the amount of investment in security, the benefits derived
from such investment (such as enabling certain online services that otherwise not permitted by
regulator), or the savings resulted year-on-year per security incident responded/investigated.
The amount of time (normally measured in days) taken to close a security risk issue can also be a
measure of performance, from a risk mitigation efficiency perspective.

5.5 Outcomes
A risk-based approach is essentially a resource prioritization decision making approach. The
primary focus is on cost-benefit against limited resources availability.
Typically, during the risk treatment phase, due to resource constraints (budget limitation in
particular), business manager will only focus on high probability risk issues with potential high
impact, and when resources are available, then investigate risk issues with lower probability and
potential impact, and so on. This can have several problems as risk analysis by itself is humanly
subjective, which means that a high-risk issue may be assess as low risk (could either due to lack of
experience or risk habituation) and as a result does not get the focus and attention required for
resolution. Low risk issues may also change over time due to business, systems, and environmental
changes. If a low risk but high impact issue materializes, the impact will be significant. Furthermore,
there are threats that may remain hidden, and vulnerabilities and exploits that are unpublished,
which will not be identifiable as risks. Errors in external risk analysis may also affect a risk
manager’s assessment of a risk item. All this contributes to weak links in the system involved,
which the risk management program will not address. Even if a risk manager has the resources and

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 19

desire to address all risks, she can only address all the risks that are known, but not those that are
hidden.8
While residual risks do not get attention, since typical risk management approach does not
determine what residual risk remains, new risk issues will also remain dormant in the system until
they get discovered. Often, they have to wait for the next risk assessment cycle (if they get identified
at all then), or reported by individuals or auditors who discover them.

As similar or near similar risk issues may be found in multiple systems, platforms, networks,
processes, or procedures, for example, inadequate account security setting in desktop/server
operating systems and network devices, risk-based approach will also adopt baseline security
controls to address most of the known security weaknesses, thereby reducing the need for risk
treatment decisions for recurring or duplicated risk issues. This also makes cost of security more
deterministic. This nevertheless inherit the same weakness of using baseline security as in
traditional commercial security approach. Higher baseline desired to eliminate weak links will
increase controls on seemingly low impact, less valuable systems, thereby increasing challenges to
get management/user buy-n.

As auditors’ role is focused on policy compliance, their appetite for risk acceptance tends to be low,
and therefore look at all risk issues as non-compliance issues that require mitigation. Given their
line of reporting, which is normally to the Board or Audit Committee, and the impact of poor audit
rating on individuals, even though the management may wish to make risk-based decision on
information security issues, compliance still take precedence in most organizations.

8Refer to Kang 18. Kang, M.-C., Responsive Security - Be ready to be secure. 1st ed. 2013,
[Link]
Routledge (CRC Press). 237. for a detailed discourse of the challenges of the risk-based approach.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 20

6 ISO/IEC 27001 - ISMS
The ISO/IEC 27001 is an international standard that specifies the requirements for an Information
Security Management Systems (ISMS). Its origin goes back to the late 1980s/early 1990s starting
from a set of baseline security controls jointly developed by a group of information security officers
from a number of financial institutions in the UK. The baseline standard makes its way to the British
Standards Institute (BSI) which eventually published it as a British Standards, BS 7799 Part 1, as a
“Code of Practice for Information Security Management”, in 1997, and subsequently revised in 1999
as a second edition [28]. A management system approach (borrowing from the quality management
systems domain, such as the ISO 9001/14001 standards) was adopted as a way to determine what
security control (defined in BS 7799-1) should be used under what circumstances, using a risk-
based approach for decision making.
A number of organizational requirements, when implemented, constitutes the establishment of an
ISMS. For example, formation of a security management committee to govern the system, conduct
of regular or periodical risk assessments to identify and address risks, conduct of internal audit to
verify required documentations are developed and maintained, and processes are followed (i.e.,
complied), and external audit to validate the ISMS practices. All these processes should be executed
through a continuous improvement cycle which entails four major steps, i.e., planning, operation,
performance evaluation, and improvements.9 The management systems cycle should repeat at least
once a year to maintain compliance with the standards. BS 7799 Part 2 [29] specifies the
requirements. It was published alongside BS 7799 Part 1.

Besides the continuous improvement lifecycle processes, the standards require compliant of a set of
baseline technical controls as specified in the annexure of the requirement specification. The
baseline technical controls cover 14 domains and map directly to the control requirements
specified in the code of practice standard.
In 1999, the two standards were fast-tracked in ISO/IEC JTC 1/SC 27, the sub-committee in the
international security standardization arena, and published as international standards, ISO/IEC
17799 Part 1 and 2. ISMS became part 1, whereas the code of practices became part 2. The
standards have since undergone a renumbering process and become ISO/IEC 27001 and ISO/IEC
27002, and two revisions, which were published in 2005, and 2013, respectively [22, 30]. A number
of supporting standards have also been developed to provide additional guidance and support the
implementation of ISO/IEC 27001 and 27002 (see slides #33-38). As new technology emerges,
additional technical control requirements are also developed as new supporting standards to allow
ISO/IEC 27001 certification to cover the required scope. For example, with the proliferation of
cloud computing, ISO/IEC 27017 [31] and ISO/IEC 27018 [32] have been developed to provide
additional control requirements for cloud computing security and privacy needs, respectively.
As a requirements specification, the ISO/IEC 27001 standards implementation is certifiable by
accredited third party certification bodies to show compliance with the standards.10 Each ISO
Member country can establish her own accreditation body, or use certification bodies accredited by

9 In BS 7799 and up to 2005 version of ISO/IEC 27001, the continuous improvement cycle steps were named
as Plan, Do, Check, and Act (PDCA), which follows one of the quality management systems cycle steps.
10 Note that guidelines and best practices standards are not certifiable standards.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 21

other ISO member countries.11 The certification, once completed, is valid for a period of three years.
A maintenance cycle is required each year for the two years after the certification year. A re-
certification cycle is required on the fourth year to renew the certification. To-date, more than
10,000 organizations in the world have been formally ISO/IEC 27001 certified and continue to
maintain their certification.

6.1 Concepts/Principles
The ISMS approach is essentially a risk-based approach, following the same concepts and
principles. The main addition is the management system that formalizes the management lifecycle.
Supported by the international standardization efforts, it enjoys higher recognition than most other
risk based approaches (such as OCTAVE [33], for example).
The key feature offers by the management system is a process for continuous improvement, which
may be integrated with other existing management systems, such as quality management systems,
in an organization.

6.2 Drivers/Motivations
As a certifiable scheme, ISMS provides a branding effect, in which attaining a formal certification is
regarded as a symbol of trustworthiness. This creates an intangible business value and therefore
helps drive adoption and sponsorship for implementing information security formally in the
organization.
As a risk-based approach, it inherits similar drivers and motivations as discussed in the earlier
section as well.

6.3 Focus of Resources

Besides focusing on the risk management process, much attentions are on maintaining required
documentations, and executing the process steps in the ISMS cycle to ensure compliance with the
standards requirements.

6.4 Performance
Effectiveness of the ISMS implementation and operations in organizations follows the risk-based
approach closely. In addition, attainment and maintenance of the formal certification reflect the
organization’s state of compliance with the standards, but not necessarily the organization’s
security policy, unless explicit efforts are invested to align the policy requirements to the standards.
The 2013 revision of ISO/IEC 27001 includes a section specifically on performance evaluation
requirements in relation to the lifecycle processes, and the roles and responsibilities of various
stakeholders involved. Trends in the following areas of information security performance are
suggested in the new section to be compiled and evaluated as part of the management review:

• Non-conformities and corrective actions

• Monitoring and measurement results
• Audit results
• Fulfillment of information security objectives.

11The Singapore Accreditation Council (SAC) is the national accreditation body in Singapore. For more
information, see: [Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 22

6.5 Outcome
As observed in the practice environment, ISMS shares similar outcomes as the risk-based approach.
However, due to the focus on certification (as a trust assurance symbol), there is a tendency for
management to ignore or pay less attention to the underlying risk issues if certification status is
maintained. Nevertheless, most ISMS audits report very few issues and tend to rate them as
opportunity for improvements instead of non-conformities since auditors (external in particular)
are paid by the organization undergoing certification instead of customers or third party looking for
third party assurance.
Furthermore, ISMS certification is limited to a particular scope of the organization’s business. The
scope may be a specific service that the organization delivers, a collection of services, a legal entity
in a particular country of operation, or the entire organization. Certifying the entire organization,
especially for multi-national corporations is an expensive undertaking, and at the same time dilute
the focus of ISMS itself. Gaining ISMS certification only denotes that the scope certified is in
compliance with the standards and have an ISMS in operation.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 23

7 Responsive Security
Responsive Security [18] is an approach developed to address the shortcomings of the commercial
security and the risk-based approach, including ISMS. Responsive Security also addresses the issues
observed in Parker’s Diligence-based Security [34] discussed in Section 11.4

Development of the responsive security approach is grounded in both theory and practice of
information security risk management. At the theoretical front, it addresses a circular problem of
information security principles that begins and ends with the principle of the weakest link, as
shown in the outcomes of the approaches discussed earlier.

Figure 2: Circular problem of information security principles [18]

In the practice environment, information security practitioners are challenged by several social-
technical issues and dilemmas when attempting to solve information security problems. The
following summarize a few of the key challenges:12

• As security management is a weak-link problem, it requires the security manager to address

all known security issues. If the security manager is able to do this effectively, the best
outcome will be no more security issues, which also means nothing happens. Is nothing
happening really the efforts of the security manager, or is she just being lucky that the
attacker is not interested in the organization as a target (for now)? Or is it because the
security systems are already broken such that it is not detecting security problems/attacks
that are already happening? These questions are all difficult or impossible to answer, since
the attacker is in the dark and what the attacker and the protector know about the
organization’s security weaknesses are asymmetry, unlikely to be the same. Furthermore, if
the outcome is nothing happening, it is also a challenge to justify for investment. Zero event
is not exactly a measurable outcome. On the other hand, as long as the attacker can find a
weakness in the system and cause an incident alert, the security manager will have to react
to the attack, which may be disruptive to IT operations or the business. She may also be
perceived as failing in her job to protect the organization. A better way to measure security
is therefore required.

12Additional issues and dilemmas in the practice environment can be found in Chapter 3 of Kang 18. Kang,
M.-C., Responsive Security - Be ready to be secure. 1st ed. 2013, [Link]
Security-Be-Ready-to-Be-Secure/Kang/p/book/9781466584303: Routledge (CRC Press). 237.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 24

 • Traditionally, security practitioners leverage external security incidents to instill fear,
uncertainty, and doubt (FUD) in order to get business management to invest in security
initiatives. At some point, such approach gets backfired when management perceived that
the organization is in a good shape (since there’s no significant incident taking place), and
the problem probably lies in the security practitioner herself.
• Since the management pays attention to the auditors’ reports, another common approach is
to take a compliance approach and leverage the auditors to highlight security issues and
help push for security investment. However, even if this is successful, compliance addresses
only requirements specified in policies and standards, not new attacks and new security
problems emerging from business changes. Organization will remain reactive to eventual
security incidents, as well as audit issues. Security manager still do not get a fair
performance assessment as a result.
• Many organizations have business continuity management, disaster recovery planning,
crisis management, and other forms of contingency or emergency planning and
management in place. However, they each function as separate entity and will at most
include the information security function in their exercises, but not integrated as a holistic
risk management group.

There are two aspects to these issues and dilemmas in the theoretical domain, and practice
environment. One is the “soft” problems, i.e., human related challenges, whereas the other aspect is
“hard” (or technical/engineering related) challenges. The responsive security approach provides a
mean to address these theoretical and practical issues and dilemmas in information security risk
management taking into consideration both the soft (social) and hard (technical) requirements,
hence, may also be categorized as a social-technical approach.

7.1 Concepts/Principles
Responsive security is based on a substantive concept for information security risk management,
known as the piezoelectric theory, which states that:
If the design of information security practices of organization systems that enables a
prompt realignment of the systems satisfies the systemic requirements for the changing
risk condition of the systems environment, the potential negative effects of the new risk
condition of the systems environment will be balanced or counteracted by the re-alignment
activities [18].
In other words, if an organization is prepared and ready to respond to a security event, it will incur
less negative impacts than if it is ill-prepared. It’s level of preparedness, and responsiveness is a
direct outcome of its investment in a readiness program.
Based on the piezoelectric behavioral principle, the responsive security approach focuses on
achieving responsive behavior in the organization, which covers three key areas:
1. Visibility of change events,
2. Situation awareness upon detection of significant changes, and
3. Criticality alignment as respond to re-align critical assets, people, infrastructure, and/or
processes (both technical and social) to the new situation.
Responsive security approach uses a combination of social-technical tools and methodologies to
implement and maintain an information security program. The social aspect focuses on the “soft”

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 25

issues, i.e., human activities related challenges, whereas the technical aspect focuses on the “hard”
(technical or engineering related) challenges.
Social techniques include but may not limited to the following:

• Stakeholder analysis and engagement – to identify key stakeholders in an information

security program (internal and external stakeholders included), and actions required to
influence their behavior and support towards the program.
• Dialectic Model of Systems Inquiry (DMSI) to understand systems requirements and create
a solution model taking into considerations the ideal model and practical constraints in the
operating environment.
• Five-Level Action Map (FLAM) – to identify and organize the program, projects, and tasks,
and identify their intra- and inter-relationships with ongoing change events, and the
technical infrastructure, mechanisms, methods, and processes.
• Action learning (or action research) practices to develop a personal and organizational
learning system, understand and influence stakeholders’ behavior and supports.
• Flood’s Four Windows Systems View to evaluate the learning/observations/outcomes from
four different systems thinking perspectives, from which plausible systemic explanations of
issues and dilemmas can be developed as well as optional courses of actions.
Technical techniques involve the use of technical tools/mechanisms, methods, and processes to
provide the need for visibility, situation awareness, and criticality alignment. One useful method is
the Failure Mode Effect Analysis (FMEA) methodology that is commonly used in critical safety
systems design processes. FMEA can help to identify the modes of failures that could potentially
occur in each system, and based on the failure modes, we can identify related failure events
(through the use of causal analysis, or cause-effect analysis methods). If a systems monitor for the
occurrence of the failure events, and is able to respond to them before the events lead to the related
failure mode, we can potentially stop the failure from happening (if a response procedure can be
executed on time) in a best case scenario; or minimize the damage by isolating other connected
systems or components, or pre-warning people to take emergency steps in a worst case scenario.
Another methodology like Fault Tree Analysis may also be applied to identify potential fault and
establish the related events that would cause/result in each fault then provide monitoring to detect
and respond to those events accordingly.
From an overall information security management standpoint, the responsive security approach is
not a standalone approach. It leverages existing approaches, such as ISMS or other risk-based
approach to address known risk issues and raise the baseline security, which then allows it to focus
on implementing and operating a readiness program to identify or discover hidden, new or
emerging risk issues (visibility), gaining situation awareness, and be ready to respond to their
occurrence (i.e., criticality alignment).13

7.2 Drivers/Motivations
The main driver for responsive security is recognition that weak links prevail and readiness is key
to address the hidden risks, as well as new and emerging attacks.

13Additional notes/examples on the responsive security approach, including learning from the anti-phishing
campaign discussed during the lecture can be found in
[Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 26

Insecurity is measurable and can be reduced proactively, whereas security is not. Through a
combination of a risk-based and responsive security approach, we can drive down the number of
known weaknesses, improve coverage and closure, and at the same time be prepared for the
emergence of previously hidden, or new/emerging risk issues.
Potential impact can also be measured through measuring the state of readiness via the conduct of
drills, exercises (tabletop and mock-up), as well as from actual incident data.

7.3 Focus of Resources

Approximately 50% of the resources should continue to focus on a risk-based approach, preferably
ISMS for its global recognition and availability of knowledge supports through a continuous stream
of supporting standards that regularly get updated.

The other 50% of the resources should focus on two aspects (social and technical) to deliver three
key outputs: visibility of change events, situation awareness, and criticality alignment as discussed
in the earlier sub-sections.

• Prepare – what are the changes that are critical? What should I do to be ready for those
changes?
• Detect – how do I know if something critical is changing?
• Respond – escalate/notify/report, contain, remediate, protect

Action learning practices to understand and influence stakeholders’ behaviors and supports.

7.4 Performance
Performance of such an approach (in addition to those used in a risk-based/ISMS approach) is
measured by answer to the question: are we ready?
Possible metrics include the following:

• Responsiveness: Time to detect, contain, remediate

• Measurable change of user behavior before/after training, and planned exercises
• State of readiness (based on readiness program)
• Coverage of potential failure modes and related failure events monitoring.

7.5 Outcomes
Use of resources will be justifiable through actual changes experienced and measurable in the
organization or related systems environment, resulting in positive behavior changes rather than
driving compliance.
Readiness aligns with business understanding and approach, results in better buy-in and
commitment. Not ready means cannot do what business wants to do. Risky means business can still
go on, just must take the risk.
Action learning/research practices take into considerations social psychological aspects of
stakeholders’ behaviors.

Overly focused on metrics may have its own side effects, e.g., focus on response time may result in
reducing the quality and completeness of investigation to an incident.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 27

7.6 Remarks
While this approach is relatively new, consciously, or unconsciously, many organizations are
beginning to realize that weak links prevail, and a risk-based or compliance approach have
undesired limitation. They have started to implement new technical solutions to gain better
visibility and prepare for more effective response. The security technology industry has in recent
years introduced new solutions in the form of security analytics/intelligence, coupled with the
emergence of various Information Sharing and Analysis Center (ISAC) industry consortiums, which
support the need for visibility of change events and near real time situation awareness. At the same
time, tools such as Cyber Range, and Anti-Phishing exercise toolkits are now available to help
organizations plan and execute more realistic security drills and exercises in related areas of
security. Containment solutions such BGP IP Blackholing, Sinkhole network, and VLAN (for network
isolation) have been available for many years, and more organizations are now beginning to deploy
them to enhance their responsive security capabilities. Cyber security simulation exercises are
becoming more common events in executive boardrooms to test the preparedness at various levels
of the organization.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 28

8 Balanced Security Scorecard
The idea of a Balanced Security Scorecard (BSS) originates from the need to gain visibility and
understanding on the security performance of the organization. Balanced Scorecard approach,
which is a widely adopted business governance tool quickly become the tool of choice to serve this
need. Balanced Scorecard was developed by Robert Kaplan and David Norton [35] to address the
shortcomings of using traditional financial metrics as the only mean for measuring executives’
performance. The Balanced Scorecard is “balanced” by incorporating four primary perspectives:
financial, customer, internal business process, and learning and growth as organizational
performance metrics or measures. 14 In practice, these four perspectives are normally retained.

8.1 Concepts/Principles
The key principle of using a BSS is to align information security objectives with organization’s
vision, strategy, and desired outcomes.
As a business scorecard, the BSS provides a mean for senior management to evaluate information
security performance against established objectives and metrics (relating to strategic outcomes and
performance drivers.)
The scorecard should tell the story of the business unit’s strategy, through linking the outcome
measures and the performance driver measures. The strategy is developed to lead a way (or
direction) towards accomplishing its grand vision.
Using the Kaplan and Norton’s framework, the approach starts with the long-run financial
objectives, linking these to the sequence of actions that must be taken with financial processes,
customers, internal processes, and finally, employees and systems to deliver the desired long-term
economic performance. The financial theme (or strategic outcomes) of increasing revenues,
improving cost and productivity, enhancing asset utilization, and reducing risk can provide the
necessary linkages across all four scorecard perspectives in most organization.

The information security group’s BSS can tap directly into this “reducing risk” theme at the highest
level. To extend this example further, the information security officer may also establish an
objective for her department “to become financially self-sustaining in two years”, which link
directly to this “improving cost and productivity” financial theme at the highest level. For this to
happen, there may be an objective in customer perspective “to deliver positive customer security
experience” (measure by customer satisfaction rating), which requires an internal process objective
“to provide security as a service that’s always available on demand” (measure by service readiness,
efficiency, and effectiveness), and a people’s learning and growth objective, “to build service
competency and a culture of customer-first security” (measure by test results and customer
ratings).
Each of these objectives should have related performance driver metrics (or measures) defined and
linked together via a series of cause-and-effect relationships. The outcome measures tend to be
lagging indicators. They signal the ultimate objectives of the strategy and whether near term
efforts have led to desirable outcomes. The performance driver measures are leading indicators,

14In Kaplan and Norton 35. Kaplan, R.S. and D.P. Norton, The Balanced Scorecard - Translating strategy
into action. 1996, Boston, Massachusetts: Havard Business School (HBS) Press. 322., measures denote
metrics.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 29

which signal to all organizational participants what they should be doing today to create value in
the future. Outcome measures without performance drivers create ambiguity about how the
outcomes are to be achieved and may lead to suboptimal short-term actions. Performance driver
measures that are not linked to outcomes will encourage local improvement programs that may
deliver neither short- nor long-term value to the business unit.15

Figure 3: Balanced Scorecard Four Perspectives Framework, Kaplan & Norton [35]

Below is an example of the various objectives that may be considered for a Balanced Security
Scorecard using the four default perspectives, as suggested in Jaquith [36]:

Financial

- Promote or hinder the ability to generate, and account for, revenues. Security is a key
component of most companies’ technology investments, particularly in operational systems
directly related to generating revenues, or accounting for them after the fact.
- Encourage or retard growth. Effective security gives customers confidence that they need
to do business with an organization; poor security drives them away.
- Increase or decrease cost. Spending on security affects organizations’ cost structures.
Some investments can be tied directly to specific business units; others cannot.
- Increase or decrease risk. Information security investments affect organizations’ risk
postures. Systems with weak controls increase risk; those with appropriate controls reduce
risk.

Customer Perspective

15 For a general overview of Lead and Lag indicators, see: [Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 30

 - Increase or decrease customers' likelihood of doing business with the organization.
Security measures that are perceived to be effective can play a role in attracting new
customers; poor security can repel them in droves.

- Enhance or hinder an organization's ability to do business with customers. While

security is rarely a commodity or service customers buy, it often plays a catalytic role in
enabling business. Security technologies also sometimes enable companies to create new
business opportunities that would not have otherwise been possible.
- Meet, or fail to live up to, security expectations of customers, partners, and
regulators. Trade associations and government agencies often impose security
requirements on organizations. Consumers and public interest groups, too, have begun to
assert their expectations about how organizations handle security concerns.
- Burnish or tarnish the firm's reputation in the market. It's been said the sign of a
successful security program is when "nothing happens." Conversely, high-profile hacks can
quickly damage a firm's reputation.

Internal Business Process Perspective

- Protect the organization from harm. Successful security programs let trusted parties in,
keep unwanted persons out, and reduce the chances that bad things will happen.
- Grant access to appropriate resources. Internal users and systems should have access to
the resources they need to accomplish their jobs—no more and no less.
- Maximize availability of systems. Security plays a role in ensuring that critical technology
systems can be continuously available to serve the organization, its customers, and
partners.
- Promote technological agility. Too often security is considered a roadblock to progress;
responsive and flexible security teams that engage business units can reverse this
perception.

Learning and Growth

- Spreading responsibility for security: Security teams cannot do everything themselves.

The business has a role to play in protecting the organization and should be accountable for
its security decisions. Security needs to be integrated into business processes.
- Ensuring that team members possess the right knowledge and skills: An organization
can trace its security effectiveness, in part, to the skills and experience of its team members.
Employees require training; for security teams, the "right skills" typically include
professional certifications and technical training.
- Exhibiting behaviors conducive to security: Effective organizations create environments
in which it is easy for employees to act and work securely. To use Dan Geer's formulation,
security ought to be "no load" and "inescapable." Effective security engineering should
make it easy for employees to make the appropriate security decisions.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 31

 - Encouraging adaptability: The ever-changing threat landscape requires organizations to
maintain eternal vigilance. Organizations' security programs should strive to understand
new threats as they emerge and investigate new countermeasures as they become available.

8.2 Drivers/Motivations
BSS, like business Balanced Scorecard, speaks the business’ language. Balanced Scorecard is widely
recognized and adopted as a tool for business governance. BSS presents a natural extension.

BSS provides a mean to align information security values with business values, which results in
seamless integration, without a need to separately justify for security investment.
Performance of security programs (linking to the objectives defined in the BSS and BS) results in
clear business outcomes in the four areas that are at the same time measureable using pre-
determined metrics.

8.3 Focus of Resources

The BSS should provide a “balanced” approach, which covers four key important perspectives that
businesses are concerned with – financial, customer, internal process, learning and growth.
At the early stage of adoption/implementation, the leadership group in the information security
group will have to establish the group’s vision and strategy, and from which, identify the objectives,
and measures. Subsequently, the extended team should develop the related programs/projects and
executing programs/projects in each area to achieve the objectives that deliver the strategic
outcomes. Measures (metrics) selected must demonstrate strong cause and effect linkages. The
leadership team, and program/project managers need to be trained on the BSS tool/methodology
to understand where and how they fit, before they can go about developing details specific to their
responsibilities, including identifying and measuring the appropriate performance drivers
measures that will deliver the desired outcomes.

Once the BSS scorecard is established, resources should be directed to focus on execution. At the
management/leadership level, regular (mostly quarterly) strategic reviews should be conducted to
govern the executions and ensure on-track progress in delivering the required performance drivers
measures. Changes to the objectives and related metrics may take place upon each strategic review,
and/or during an annual review/update cycle.

8.4 Performance
Overall performance is demonstrated by the outcome metrics. Individual/group performance is
shown by achieving the performance drivers’ metrics identified in each of the four perspectives.

8.5 Outcomes
Metric saturation may result if we try to measure everything in the scorecard.
While this approach provides flexibility with broad definitions of the perspectives—Customers,
Internal Processes, Financial, and Learning and Growth—it could result in ambiguity if each
perspective is not adequately scoped.
Objectives may need to span out into multi-year initiatives to be achievable, whereas the scorecard
tends to focus on short term performance.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 32

Fundamental problem of quantifying risks and security benefits have not been resolved. This has
limitation on what we can measure and show in the scorecard itself.

8.6 Remarks
To be successful with the BSS approach, the information security officer needs to first develop a
security strategy. The strategy defines the desired goals from which the objectives of each
perspective could then be determined.
The BSS may be used in conjunction with a risk-based approach, such as the ISMS, as well as
integrate with the Responsive Security approach to drive responsiveness and readiness outcomes
in the organization.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 33

9 Security Maturity Models
Security maturity models (SMM) are process-oriented models depicting the characteristics of
organization’s security profile or status at a given point, which depict a certain level of maturity.
Security maturity models evolve from generic capability maturity model (CMM), which describes
the stages through which processes progress as they are defined, implemented, and improved.
Most if not all security maturity models available to date have some similarities that can be traced
back to the Systems Engineering Capability Maturity Model (SE-CMM), originally developed by an
industry consortium led by the Carnegie Mellon University Software Engineering Institute in the
early 1990s. SE-CMM defines five level of maturity, from initial or ad-hoc to optimized, focusing on
system and products engineering processes.
The System Security Engineering Capability Maturity Model (SSE-CMM) was subsequently
developed in 1999 to focus on maturing the security engineering industry. Back then, the field of
security engineering has several generally accepted principles, but it lacks a comprehensive
framework for evaluating security engineering practices. Specifically, security engineering qualities
such as continuity, repeatability, efficiency, and assurance are required but found lacking. The SSE-
CMM, by identifying such a framework, provides a way to measure and improve performance in the
application of security engineering principles.
SSE-CMM revised the terminologies used in SE-CMM while keeping to the five levels of maturity. In
2002, SSE-CMM was published as an ISO/IEC Publicly Available Standard, as ISO/IEC 21827. The
standard then goes through formal ISO national bodies’ review and updates to its current second
edition in 2008 as a formal international standard. To-date, the same five-level maturity has been
maintained as part of the ISO standard.
As in any security maturity model, the maturity level definitions, including specific requirements in
terms of process and competencies expectation at each level are fundamental and key to the model.
Maturity models provide a mean for information security officers to present security status
information in terms that business leaders can quickly understand. Metrics are another tool, which
can help translate the value of the business taking steps to avoid a particular information security
risk. We will discuss metrics in the “New School” approach later in this Module.

9.1 Concepts/Principles
When dealing with maturity models, these are the terms that are commonly used: process,
capability, and maturity.
ISO 21827 defines process as a set of interrelated activities that transform inputs into outputs.

Capabilities are built on practices. In ISO 21827, it relates to the performance of generic practices
over domain-specific base practices. An example of a generic practice that is applicable to multiple
domains is allocating resources. One of the base practices that is essential in the security
engineering domain is identifying system security vulnerabilities. An organization’s capability in
this regard is reflected in the answer to the question of “does the organization allocate resources
for identifying system security vulnerabilities?”

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 34

In terms of maturity, ISO 21827 does not provide a definition, we can however informally regard it
as the presence and practice of a set of pre-determined competency signifies a level of maturity.
Higher competency means higher maturity.
The starting point of the maturity model is the “ad hoc” phase, which is essentially a “firefighting”
mode. When an organization reaches the last phase, it is using standardized and repeatable
processes that can be measured.

9.1.1 Traditional CMMI

The traditional CMMI has five levels of maturity, namely Initial, Repeatable, Defined, Managed, and
Optimizing. The basic CMMI framework is often used as a generalized roadmap for designing a
security maturity model for measuring and improving organization’s entire IT security posture,
regardless of how far along it is in the maturity process. For example, Gartner describes an IT
Score-based assessment guide that encompasses business processes, technology and tools, business
culture, as well as personnel and organization in five levels of maturity:16

• Level 1 – Initial: The enterprise’s management is aware that information security is weak
and represents unacceptable risks. Information security activities are ad hoc and typically
IT-focused. In most cases, no formal information security program is in place.
• Level 2 – Developing: An individual has informal responsibilities comparable with those of a
chief information security officer (CISO), who is working to develop program plans and
policies. Different stakeholders are beginning to communicate informally about information
security issues.
• Level 3 – Defined: Policies and rules are in place and some information security roles and
responsibilities are established, but there is little accountability or enforcement.
Information security efforts are still primarily IT-focused, and enterprise security
awareness is still limited.
• Level 4 – Managed: Information security roles and responsibilities are clearly defined, and a
formal information security committee—led by the CISO, with participation from the line-
of-business managers—is operating. The enterprise is moving away from an IT-centric
approach to information security, but line-of-business owners have not yet accepted explicit
accountability for residual risk.
• Level 5 – Optimizing: Line-of-business managers have now explicitly accepted the residual
risk associated with their use of information and technology, and they are fully accountable
for security failures and policy violations. Continuous self-improvement practices are in
place, regularly updated and used to create a security-aware culture in their organizations.

9.1.2 SSE-CMM – ISO/IEC 21827:2008

In SSE-CMM, each capability level consists of one or more common practices comprising a
combination of generic practices and common features defined in the standard. The capability
levels represent the maturity of security engineering organizations.

16For details, see:

[Link]
[Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 35

The standard may serve as a guide for selecting process improvement strategies by determining the
current capabilities of specific processes and identifying the issues most critical to quality and
process improvement within a particular domain.
The SSE-CMM can also be used as a reference model to guide the development and improvement of
a matured and defined process, by planning for advancement to the next level of maturity in the
CMM 5-level scale, which answers the question of where should our information security program
go from here?

From an assurance or validation perspective, the standard may be used to appraise the existence
and institutionalization of a defined process that implements referenced practices. This answer the
question of how do I know if a provider has the security capability and is trustworthy?

9.1.3 Open Group’s Open Information Security Management Maturity Model (O-ISM3)
Another open standard is the Open Group’s Open Information Security Management Maturity
Model (O-ISM3) [37]. Published in 2011, its main difference from SSE-CMM is its focus on the
information security management domain.
The O-ISM3, or ISM3 in short, consists of five levels of maturity as well. From Initial to Optimized,
adhering more closely to the naming used in the traditional CMM levels. Like SSE-CMM, it provides
for process improvement, serve as a reference model, and is also designed for assurance appraisal,
validation, or certification of practices. There are however major differences in the approach,
design, and implementation of ISM3.
[Link] Key Characteristics of ISM3
A distinctive feature of ISM3 is that it is a process-based approach to information security
management and maturity. Its underlying principle is that every control needs a process for
managing it. It breaks information security management down into a set of processes that can be
more efficiently managed and measured, with relevant security controls being identified within
each process as an essential subset of that process.
Another unique feature of ISM3 is that it defines security as the result of continuously meeting or
exceeding a set of business and security objectives and regard a security incident as a failure to
achieve one or more of management’s agreed business and security objectives. An ISMS failure
occurs when a security target is breached. A state of security exists when all objectives are
continually met within their security target tolerances despite threats. Having said this, the ISM3
standard recognizes that security is not equal to invulnerability to all attacks, but rather is an
economically efficient level of invulnerability given competing claims upon business resources.
Nevertheless, while many information security management approaches see risk assessment as a
necessary first step to resolve such competing claims, risk assessment is not a pre-requisite to ISM3
design and implementation. Business has the prerogative to decide whether a risk assessment is
necessary to determine the application of security controls. Security controls can be chosen based
on common-sense, best practices, learning from incidents, results of a vulnerability or threat
analysis exercise, and/or client policy requirements.
As a process-based approach, ISM3 defines process as the “smallest, atomic unit of the standard.
Everything ISM3 does centers around the concept of the process. Processes have capabilities and
are managed using management practices.”

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 36

Capability is a property of how a process is managed. From a managerial perspective, the higher the
capability, the more management practices that are applicable, and the more robust, transparent,
and self-correcting the process. From an auditor's perspective, the capability achieved by a process
depends on the documentation and the metrics used to manage it. The term capability is therefore
defined in terms of the metrics and management practices used, and it requires the linking of
security objectives and security targets to business objectives. Process metrics is deemed as the
enabler of its management practices and reveal its capability.
The organization determines the set of ISM3 information security processes required for meeting
its business and security objectives. Processes are allocated to certifiable maturity levels according
to a spectrum, from a basic ISMS to an advanced one. The operational status of those processes
reflects the maturity of the organization as such. The relationship between the number of
processes, their capability, and the maturity of the ISMS is such that the more processes, and the
higher the capability, the higher the maturity.
Market-driven maturity levels help organizations choose the scale of ISMS most appropriate to
their needs. The maturity spectrum facilitates the trade-off of cost, risk, and usability and enables
incremental improvement, benchmarking, and long-term targets.

ISM3 approach recognizes the issues and dilemmas relating to the measurability of security
outcomes that we have discussed earlier in the introduction to the responsive security approach. In
essence, security managers face a difficult challenge in justifying their security decisions to
stakeholders. If there are no security incidents, stakeholders may feel there is over-investment in
security. If there is a serious incident, a review might suggest that the Security Manager’s incorrect
assessment of a particular area of risk. Security Managers stand to take the blame for security
breaches, while success is measured as―no significant security breaches—so goes unrecognized.
In ISM3, this challenge is viewed as a lack of clarity and agreement over what security means in
practice. ISM3 addresses this by using operational definitions of security, which say how they may
be achieved, instead of conceptual definitions on protection of confidentiality, availability, and
integrity. This means there is a need for dialog between the Security Manager and their business
managers to work out what matters (business and security objectives), how should they be
measured (security targets), and the escalation threshold for declaring a major problem (an ISMS
failure).
[Link] Integration with ISO/IEC 27001 ISMS
ISM3 and ISO/IEC 27001 shares similar goals to advance information security management in
organizations. As highlighted in Appendix C of the ISM3 standards, there are synergies between
ISM3 and ISO/IEC 27001 ISMS. For organizations that have implemented ISO/IEC 27001 ISMS, they
may leverage ISM3 to achieve a higher level of efficacy and measurability in information security
management as follows:
In line with ISO/IEC 27001:2005, ISM3 seeks to understand the organization's information security
requirements and to align the ISMS with business needs. It does this by requiring business
managers to state their sensitivity to various categories of security incident. The security objectives
that result set the standard for identifying security incidents and measuring performance of the
ISMS. This approach fairly and transparently sets out the expectations and responsibilities of the
security team.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 37

ISO 27001 does not provide specific guidance on incorporating security in systems architecture
design. Using ISM3 while designing a system architecture ensures that security considerations are
cascaded through the design, complete with reporting linkages, identified dependencies, and
measurement points.
Metrics are an integral part of ISM3 and are part of performance management in ISO 27001 ISMS.
Organizations using ISO/IEC 27001 however tend to measure security through compliance
verification, and technically, by conducting security tests or reviews such as penetration testing
post implementation. Such an approach of using lagging indicators as metrics to measure the
organization’s security result in a long cycle for improvements to be made and leave exposures in
place until after the measurements showed the discrepancy. ISM3 metrics, on the other hand, focus
on the objectives of the specific process requirements and control(s) they service. They have an
emphasis on measurement of trends and variability and are often leading indicators related to the
probability of an incident. This enables early detection of discrepancies and short-cycle
improvement, therefore complementing the shortcoming of the ISO 27001 compliance biased
approach.
As ISM3 is process focused, organizations can leverage ISM3 approach to define security objectives
and process responsibilities for each control objective selected in ISMS to meet measurable
business goals.
Finally, by mapping ISM3 processes against ISO 27002 control objectives selected, organization can
identify, and close control gaps not addressed in ISO/IEC 27002.
Taking these integration steps enable organizations that have ISO 27001 ISMS implemented to
measure its level of security capability and maturity, determine strategic improvement directions,
and at the same time use of ISM3 metrics to demonstrate the state of operational security of the
organization to senior management, answering the three basic questions discussed earlier.

9.1.4 Information Security Program CMM

The Capability Maturity approach is not confined to organizational-wide initiatives such as security
engineering or ISMS. It can also be used at a project or program level, for example, to govern an
Information Security Program focusing on a set of functional areas where measurements can be
made, and targets can be established. As shown in this radar chart, each of the 12 functional areas
selected has its own maturity level, which could be based on an industry benchmark, or established
as an internal target. The combined chart shows the overall maturity status against the targets or
benchmark.
Besides the two open standards and this program-specific maturity models that we have discussed,
commercial sector outside of the standards community have also developed various maturity
models, mostly used as a tool for providing consulting services to guide end user organizations in
strategizing, planning, and governing their information security management program or related
initiatives. For more examples and information, please refer to the reference section of this module.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 38

9.1.5 Other Example of Security Maturity Models
Algosec’s Security Policy Management Maturity Model shows another example, which defines four
levels: Initial, Emerging, Advanced, and Visionary.17 The model is used as a mean to align solutions
that Algosec provides.

9.2 Drivers/Motivations
As organization’s information security program gains traction and stabilizes, one question that
senior management and CISO may begin to ponder is “how are we doing as compared to others in
the industry?” From the CISO perspective, she may also consider questions such as, where should
our information security program go from here? When deciding on a third-party provider, she may
also ask, “how do I know if a provider has the appropriate level of security capability and is
trustworthy?

Security maturity model is one of the tools that CISO and senior management can use to answer
these questions. Many groups in the IT industry, including private consulting firms and standards
organizations have proposed various security maturity models for use in organizations, focusing on
specific domain. For examples, the ISO/IEC 21872:2008 Systems Security Engineering Capability
Maturity Model (SSE-CMM in short), and the Open Group’s Open Information Security Management
Maturity Model (O-ISM3 in short) are two open standards focusing on security engineering and
information security management domains, respectively.
Maturity model provides a mean for comparison, or benchmarking, which helps information
security practitioners set their organizational security goal to the next level of maturity. Using
maturity as a benchmark also provides senior management with a clearer vision of the
organization’s current security status as compared with the rest of the industry, hopefully motivate
them to invest in closing the gap identified. Using maturity model, businesses can also determine
whether IT resources are being deployed and used effectively.
The gap between current and aspired maturity state helps to identify what needs to be done next,
and justify security investment.
Properly used and presented, it allows the work of the information security function (in
partnership with other stakeholders) to be quantifiable and hence recognized, when the next level
of maturity has been achieved.

9.3 Focus of Resources

Given that the quest of such an approach is to reach the next level of maturity, resources are
naturally focused on the list of activities that will build/improve the processes, capabilities, and
peoples’ competency to meet the requirements of the next level, until accomplishing the ultimate
stage of “Optimizing”.

9.4 Performance
Performance of such an approach is measured by the status of maturity between current and
desired level.

17 For more information, see: [Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 39

Industry benchmark survey may also be used to provide an independent assessment of the
organization’s maturity level as compared with others in the same industry.

9.5 Outcomes
Improve visibility into what is happening with IT security throughout the organization: which
employees are responsible for it; whether they are the right people to handle that responsibility;
and, if so, whether they are doing their jobs well. With improved visibility, results in a better
understanding of:

• What they need to protect.

• How well their current security measures work.
• What they need to accomplish in terms of security.
An organization’s security maturity, even at the highest level, should not be misconstrued as
“secure”.
As maturity model provides specific targets/goals to be accomplished for each level, it can result in
blind following simply to go after those targets, and hence drive a compliance culture in the
organization.
Like the traditional CMMI, SMMs are mostly process-oriented, which may leave out the people’s
aspects if not careful.
Benchmarking provides an indicator on the relative position of an organization’s security maturity
but add little value to the actual state of security. If the rest of the industry have not step up to a
higher level, does it mean that it is acceptable for an organization to follow suit and stay at its
current level? Business management may be willing to stay with the rest of the industry just to save
cost, and such a benchmark result may just fit their purpose.
Question also remains on what happened after the organization has attained the “Optimizing” level.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 40

10 New School of Information Security
The “New School” approach to information security introduces a way of thinking about the
information security problems and identify new methods/tools to drive change in organizational
behavior that influence the design, implementation, and operations of information security
programs. It is a “new school” in that it uses understanding from the non-engineering disciplines,
such as economics, psychology, and social sciences, which are not formally considered in the
commercial/military and the risk-based approaches.

10.1 Concepts/Principles
Traditional approach of using Fear, Uncertainty, and Doubts (FUD) is not sustainable. FUD has its
limitation and challenges as discussed in the Risk-based Approach and Commercial Security
Approach sections earlier. New ways of “selling” security to get management buy-in and support
are therefore desired.
Traditional approaches such as the commercial and military security approaches are overly
reliance on technology for security. This creates a vendor-driven culture, favoring technology
solutions that vendors developed, which often do not integrate well when multiple vendors’
technology solutions are implemented alongside, creating complexity and breed hidden risks.
The New School approach promotes openness and transparency. For example, it promotes the idea
of data breach disclosure, so that data on breaches will be available for everyone to understand the
nature of breaches before we can protect against them.
Information security practitioners should also study through observing the practice environment
just like in the field of sociology, to understand to influence organizational behavioral changes.

Economics and Information Security

One of the New School approaches is the study of information security from the perspective of
economics, such as the theory of incentives, network effects, and liability. Economics influence
peoples’ behavior, which in turns affect the way they interact with information systems and drive
certain security outcomes. In other words, as Shostack and Stewarts asserts, “how people are
motivated to behave can be as important as, or often more important than how the system is
designed to behave.”
Theory of Incentives – Why users don’t choose good passwords
To understand how incentives affects information security, a simple example is the problem of
password security. Good passwords are a cornerstone of many authentication schemes, and
security often fails when impersonation of user is easy. Unauthorized access can result in
fraudulent transactions, data theft, installation of malware, and many other forms of security
incidents. If an organization views this as a technical problem, it imposes its policy through tools
that implement complex password rules requiring capitalization, special characters, and the like.
With multiple systems access requiring unique passwords that are difficult to remember, users will
soon find ways to circumvent the policy, such as writing it down, or even investing time to invent
password-changing schemes so that they can use roughly the same password with enough changes
to satisfy the policy. Such practices create weak links that are hidden from the system. Viewed
through the economics lenses, what’s at play is that the incentives of the users and organization are
not aligned. Users have no incentive to use a complex password. Indeed, they would most likely

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 41

prefer no passwords at all, or to use very simple passwords across all systems to ease their access.
In addition, the small demands of each system with its own complex password policy accrue in the
individuals asked to remember those many different passwords. Therefore, the common response
is to ignore, sidestep, or subvert the policies. Over the years, more organizations have learned the
lesson and started to adopt two-factor authentication and federated single sign-on approaches to
relieve users from the need to remember many complex passwords but one, and to make systems
access as simple and easy as possible to improve security. This is also one of the reasons why
biometric-based authentication is gaining much higher user acceptance than PIN-based
authentication, even though it has its inherent limitation and introduces privacy concerns.
Network Effects
Economists speak of externalities, or network effects, in which the costs of a transaction are not
carried entirely by the people involved. The same problem exists with many aspects of information
security. For example, the email spams issue, in which the cost of sending spam by a spammer is
extremely low compared with their financial returns, capitalizing on a supply of compromised end-
user computers in the form of “zombies” to send spams, which the owner doesn’t directly suffer the
consequences. Their operations were undisrupted until recently, when operating systems and
security vendors begin to bundle-in “anti-zombie” features for competitive reasons, and when
users, due to increasing concerns over data breaches, start to care for data security and more
willing to pay for anti-virus software and/or upgrade to the latest operating systems with better
security. There are, however, still many users who remain in unpatched operating systems and/or
not using any anti-malware protection, which enables spammers to continue their business.
The network effect further explains why the more people who own a technology, the more value
there is for everyone else who owns that technology. This is also known as the Metcalfe’s Law,
which demonstrates why hackers will always prefer to hack more popular operating systems than
others, as any vulnerabilities found will have a higher pay-off when sold in the black market to
spammers, cyber criminals, and other bad actors.
Principal-Agent Problem
The principal-agent problem from economic theory also shows the importance of going beyond due
care and due diligence when an agent (e.g., an outsource service provider) is entrusted to provide
security monitoring service. In such a relationship, how should the organization, as a principal
outsourcing a security monitoring service, makes sure that the outsource service provider, as an
agent will find and report security events, and not hide them so that they have less work to do while
continue to get paid for their service? In an audit engagement, the auditors have an incentive to
point out a tremendously long list of problems to avoid any liability. On the other hand, the auditee
would prefer a list of audit findings that allows it to balance risks and the costs to mitigate those
risks. At some point, the principal and agent will have to establish some form of service level
agreement with metrics for measurement and reporting, and trust that the other party will deliver
by them. This also means that certain security issues will remain undiscovered or unreported
within the scope of the agreement.

Psychology and Information Security

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 42

Psychology is another science that are increasingly being studied and used to better understand
and manage information security challenges.
Study of the spending habits of different stakeholder organizations will give insights of what they
think are important to them and leveraging that will likely help to justify for security spending.

The issue of risk visibility, risk compensation, risk habituation, and risk aversion all have a social-
psychological perspective.
A lack of visibility may increase risk aversion in some situation but due to ignorant, may also cause
one to take more risk.
For example, when driving through a heavy storm with poor visibility, we will tend to slow down,
turn on the head lights, and lower the music volume on the stereo. On the other hand, on the
Internet, there is almost no visibility of whether the next web site you are visiting is malicious until
you are there, and many times, even when on a malicious web site, you may not even know that it is
malicious. Somehow, we will feel save and continue to surf on until there is visible sign of danger or
a suspicious event.
When people feel safe, normally due to increase visibility of security measures taken, they become
less cautious, therefore unintentionally tilt the balance in the risk equation, compensating for the
measures taken. We saw this played out when seat belt was first introduced as a mandatory
requirement in the 1980s in the UK. Drivers felt safer and drove faster, resulting in an increase in
accident on the road, re-distributing the danger from car occupants to cyclists and pedestrian [38].

Risk habituation takes place when an individual gets used to a risky condition in which no major
incidents have taken place over a long period, like a frog in a warm but slowly boiling water. Job
rotation and mandatory leave policies are therefore important to avoid/revert from such subtle
behavioral changes.
Risk aversion is often the result of a bad experience relating to specific incident. For example, the
various negative media reports on unauthorized access to wireless networks were not adequately
protected resulting in organization or regulator banning the use of wireless altogether. Such a ban
comes with the trade-off that the benefits of that technology will not be realized while the risks of
insecure network configuration, which was the root cause issue, may persist.
When designing security policies, it is therefore important to consider the potential psychological
and economics aspects that may influence compliance and enforcement.

10.2 Drivers/Motivations
A basic motivation of the New School is the belief that a data-driven approach is more convincing
than FUD. That is, to use data to show the problems, justify the investment, and presents the
outcomes. Data can be collected internally and openly, and data should be shared wherever
possible to help understand the problems before developing solutions.

Information security is closely related to organizational behaviors, which are influenced by the
economics, psychology, and social environment. Information security program will be more
successful through leveraging understanding from these other non-engineering fields.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 43

10.3 Focus of Resources
Understand the economics, psychological, and social aspects of things/systems in relation to
information security and use them to gain management commitment and influence users’ behavior.
Collecting, analyzing, and sharing data – breach data, monitoring data, risk data – to justify design
and develop security strategy and plans.
Use economics, psychological, and social methods in conjunction with technical/engineering
solutions to influence change in organizational behavior towards better security practices.

10.4 Performance
Security metrics based on data focusing on specific problem and context, focusing on desired
outcomes.

10.5 Outcomes
Useful ideas to re-evaluate security situation and problems to gain better understanding of issues
and challenges. However, there is no specific model or framework to follow/adopt.
Still reliance on trial and error, though better informed by more variety of teaching, not just FUD or
mathematics.
Information security practitioners need to undertake studies/learning in economics, psychology,
and social sciences to be able to understand and apply to their practices.

10.6 Remarks
This approach may be used in conjunction with the other approaches/models discussed in this
Module. It is not a standalone idea but understanding of the non-engineering fields of study will
help to improve the effectiveness, efficiency, reliability, meaningfulness, and fairness of new
information security strategy and programs.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 44

11 Other Models/Approaches
As security is an ongoing journey that is constantly being challenged by changing technology,
policy, threat, and operating environment, from time to time, practitioners and academics will
design and introduce new model, framework, approach, and tools to help addressing the various
aspects of security management challenges. In this section, we briefly review a few of the
approaches and tools that have been introduced over the years.

11.1 Time-based Security

Time-based security is an approach developed by Winn Schwartau [39] using time as the factor to
determine where to focus security investment. Time to detect, time to respond, and time to protect
are time periods that may be determined (for simple systems), which can be compared with the
duration of attack to decide where to focus resources in the protect-detect-respond/react timeline.
The idea of a time-based approach is to steer information security practitioners from the usual
“fortress mentality” (i.e., defense-in-depth).18

11.1.1 Concepts/Principles
Time-based security is based on a system that is used to rate safes, as defined by Underwriters’
Laboratories, Inc., which acknowledges that any system can be compromised given enough time,
assuming the intruder is willing to dedicate the resources to do it. Time-based security works on
the premise that when designing protection mechanism, if the time required and resources to be
dedicated make intrusion an unproductive venture, potential intruder will likely go for a lesser-
protected systems that is more accessible [40].

Time is a key factor of information security – “Time is money”, so the saying goes. Real security
comes from a combination of prevention (P), detection (D), and response (R), each with its own
duration of effectiveness. For example, an encrypted password may succumb to a brute-force
password guessing attack after say 10,000 tries on average, and each try will take a certain amount
of time, say 0.01 second. The average duration of protection accorded to the system should an
encrypted password has been compromised is therefore 10,000 multiplies by 0.01, or 100 seconds,
i.e., less than two minutes. To complement the protection weakness, the system will need to be able
to detect such a compromise and respond (with a password reset perhaps) in less than 100 second
or else the intruder would have logged on to the system successfully.

As such, preventive measure is only effective if Pt > Dt + Rt. Based on this concept, Schwartau
suggests reordering of the traditional protect-detect-react/respond sequence into detect-react-
protect (DRP) sequence. Such a sequence of focus emphasizes detection and reaction over
prevention. If an organization can detect and react to security events promptly, even without
preventive measures in place, many incidents may be avoided or contained. This strategy can result
in significant savings since the costs of prevention may be reduced or eliminated. However, the
additional cost for devising and implementing a timely detection and reaction security systems will
need to be equitable.
Skills of the attacker lead to the time required to defeat prevention, and detection.

18For more information, check out this more recent YouTube video where Winn Schwartau discusses Time-
based security: [Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 45

11.1.2 Drivers/Motivations
Management and technical people can both understand the issues of time.

11.1.3 Focus of Resources

In such an approach, information security manager should prioritize security controls based on
time factor required for prevention, detection, and response against value of assets to be protected.
The time-based approach considers three factors when designing or evaluating a protective system:

• Time to prevent counters efforts of perpetrators to break-in.

• Time to detect identifies the change of situation.
• Time to respond changes the situation to a more desirable one.

If attacker spends more time attacking and fails to reach a desired state, it costs the attacker more
than anticipated, while the defender prevents/advert a loss from happening. Slowing down the
attacker and speeding up the defenses give advantages to the defender.

11.1.4 Performance
The amount of time to prevent, detect, and respond are the basic metrics for evaluating information
security.
Cost and benefits evaluation based on how much time security could buy in terms of Pt, Dt, and Rt.
The cost of time for different resources should be considered when computing cost in each of the
PDR process as different types of resources may be used in each phase.

11.1.5 Outcomes
Time is an important metric, but not the only one. Depending on the skills/expertise of the
perpetrator, the time taken is likely to be different, whereas the calculation is based on an
estimated [Link]

Computing time for each mechanism in a computing system that includes multiple technical
mechanisms, people, and processes in prevention, detection, and response is a non-trivial task. The
time duration changes as the system, processes, and people changes. The model does not provide a
mean to deal with such changes that are dynamic in production environment.
Cohen [41] comments in a review of an earlier edition of Schwartau’s book on Time-based Security
that:
If we are to measure time in terms of money, we need financial models of situations. This in
turn requires a system of modeling in which the model changes as dynamically as the
environment it models. The model must be fed financial and security information on an
ongoing basis and the set of prevention, detection, and response capabilities must be
adapted with time to meet the changing business environment [42].

Clearly, the approach, in its current form, is still incomplete and unable to address such dynamic
changes. The model has therefore remained theoretical to-date, no known practical application.

11.2 The OCTAVE Approach

OCTACE [33] is a specification for an information security risk evaluation, which stands for
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM.. OCTAVE is a risk-based
approach, but with a more comprehensive set of supporting processes, templates, and tools for risk

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 46

evaluation. As the tool is licensed, and former training is required, it has not been well adopted
outside of those organizations that have a mandatory policy or compliance requirement (e.g., due to
customer’s contractual obligation.)

11.3 IT Infrastructure Library (ITIL)

ITIL is a Service Management Framework, and security is only a part of it. ITIL does not reinvent
the security wheel but adopts the ISO/IEC 27001 requirements. A separate certification is also
available, i.e., ISO/IEC 20000, which covers the baseline security requirements defined in the
corresponding standard.

11.4 Diligence-based Security

Along with the “New Framework for Information Security”[19], Parker introduces the Parkerian
Hexad, adding Authenticity, Possession, and Utility to the Confidentiality, Integrity, and Availability
(CIA) model. He defines authenticity as “validity, conformance, and genuineness of information”.
Possession is “the holding, control, and ability to use information.” And utility is the “usefulness of
information for a purpose.” [19]
Parker argues that if information is merely not available but also not usable, for example,
encrypted, then it has no value to its authorized user. Utility is therefore an important property
separate from availability. Similarly, besides knowing that information is free from corruption or
unauthorized modification, we may need assurance of its authenticity, for example, not an
unlicensed digital media. We also need to answer such question of whether the possession of
encrypted information is acceptable to decide whether such information needs additional layers of
controls in a system.
Parker asserts that the risk-based model is a failure [34, 43] and proposes the use of a Diligence-
based Security (PDBS) approach to security management. PDBS emphasizes the use of diligence, in
which positive actions can be taken in place of concerns over risks, which is deemed negative
showstoppers. Diligence means avoiding negligence, compliance with law, audits, regulations, and
contracts, and enablement. Diligence is measurable by the implementation and operations of
security controls and practices.
Due diligence: We can show management the results of our threat and vulnerability analysis (using
examples and scenarios) by giving examples of the existence of the vulnerabilities and solutions that
others have employed (not including estimated intangible probabilities and impacts). Then we can
show them easily researched benchmark comparisons of the state of their security relative to other
well-run enterprises and especially their competitors under similar circumstances. We then show them
what would have to be done to adopt good practices and safeguards to assure that they are within the
range of the other enterprises.
Compliance: We are finding that the growing body of security compliance legislation such as SOX,
GLBA, and HIPAA and the associated personal and corporate liability of managers is rapidly becoming
a strong and dominant security motivation... (The current legislation is poorly written and has a
sledgehammer effect as written by unknowing legislative assistants but will probably improve with
experience, as has computer crime legislation.)
Enablement: It is easily shown in products and services planning that security is required for obvious
and competitive purposes and from case studies, such as the Microsoft experience of being forced by
market and government pressures to build security into their products after the fact.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 47

While the Parkerian Hexad provides more granularity in the desired properties of information,
there are opposing view that such granularity might not always be necessary, since possession
should be considered in confidentiality, utility in availability, and authenticity in integrity.

In enterprises today, Parkerian Hexad’s definition is not commonly used. However, it does not
mean that it is irrelevant. As technology evolves and the business environment changes, these
additional properties may become more critical in the new context. We should therefore keep an
open mind and consider the needs and importance of these additional properties, namely,
authenticity, possession, and utility as we assess the information security needs on a case-by-case
basis.
Diligence, which drives compliance, aligns with the desire of the regulators. Parker posits
compliance as a business enabler, i.e., by being compliance, business will gain regulatory approval
and therefore able to capitalize its security spending with market accessibility. Compliance
however is not efficient in addressing new or emerging issues until new regulatory requirements
exist. Regulators are however reactive to new security issues, and new regulations therefore
normally take months if not years to get published, unless the issue is already causing systemic risk
to the industry concerned or present a clear sign of such potential implication. Issues that have not
gained regulators’ attention may exposes the business to undesirable consequences, whereas
waiting for new regulation to pass often place the organization in a reactive position of “catching-
up” with the regulators, risking being non-compliance. In any case, the regulators are not the enemy
but the cyber criminals. Compliance without prioritization of controls means all controls must be
implemented, which may not be justifiable for every business application and information involved.
In practice, businesses (in particular, in the financial services industry) use a combination of PBDS
with the risk-based approach or at least a risk scenario narrative to prioritize and justify security
spending.

11.5 Zero Trust Security

In recent years, the concept, and principles of Zero Trust Security (ZTS) has gained much attention
and adoption in businesses. Also known as Zero Trust Networks (ZTN)[44] and Zero Trust
Architecture (ZTA)[45], ZTS is however not a security management approach, but a security
architecture design framework.
The term “zero trust” gives the idea that we should trust nothing (zero), neither anyone nor any
application or systems when it comes to systems and/or network security. A better way to
understand the concept “zero trust” is to view it from the perspective of the Internet. The Internet
is a public network that is completely untrusted, i.e., where we should have zero trust on it. That
was one of the reasons the Internet Engineering Task Force (IETF) developed the Transport Layer
Protocol (TLS), or HTTPS protocol[46] to enable trust of websites on the Internet. The irony is that
HTTPS is also used by malicious web providers to gain trust.
Based on the ZTA principle, applications and servers on the Internet must be well protected to
ensure they can withstand the threats of the Internet. Whoever wanting to access our internal
applications and/or data must be verified, authenticated, and authorized before granting any
access. Hence, zero trust.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 48

When designing and architecting network and systems for internal network, we should use similar
mindset that the internal network cannot be trusted. ZTS approaches security from an access point
of view, especially during the access request or authorization step before granting access. Users and
applications must be verified, authenticated, and authorized before they are granted access to
specific server or application system. Authorization should also be based on the least privilege
policy, i.e., granting access on a need-to-hold principle.
Ironically, to achieve the desired protection in an untrusted network, ZTS requires a highly trusted
identification, authentication, and authorization system (IAAS), supported by a trusted logging and
auditing system (IAS) to enforce the policy of trusting nobody when someone request for access to
the network.
ZTS asserts five fundamental tenets[44]:
1. The network is always assumed to be hostile
2. External and internal threats always exist on the network
3. Network locality is not sufficient for deciding trust in a network
4. Every device, user, and network flow are authenticated and authorized
5. Policies must be dynamic and calculated from as many sources of data as possible.
Before ZTS, corporate networks are normally architected by zones, or layering like an onion ring.
The core of the ring is the most trusted zone, and each outer layer less trusted as it distances from
the core outwards. Between the layers are network security protection enforced by network
firewalls and/or security switches or virtual local area network (VLAN) devices. These security
devices authenticate the identity of users and applications requesting access from one network
zone to another instead of specific application system or server within the zone. Once granted
access, the authorized user or application system will have access to all other application systems
and servers in the zone, unless additional controls are implemented and enforced by specific
application system within the zone for added security protection. A common setup is the corporate
virtual private network (VPN) gateway that separate the corporate network (trusted zone) from
the Internet (untrusted zone). When remote employees request access to corporate network via the
Internet, they will be authenticated by the VPN gateway. Once the remote user passed the security
check of the VPN gateway, the user will have full access to the corporate network from the remote
location. Should the remote user’s credential be compromised, the perpetrator misusing her
credential will have full access in the corporate network.

In the case of the ZTN architecture, every application system will enforce the same security on both
remote and local users equally, requiring each to identify with a valid username, and authenticate
against their credential, normally using multi-factor authentication mechanism. When access is
granted, the user will only have access to that specific application system for a specific period
allowable by the security policy, and not able to roam around the network or reuse the
authorization to access other application system within the corporate network. This reduces the
surface area of exposure and hence narrows the scope of potential attack.
ZTS is a security improvement over network control security. Migrating from existing network
security setup to ZTS requires every application system to make changes to the way it identifies,

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 49

authenticates, and authorizes users and other applications based on a consistent set of security
APIs that interface with a common IAAS and IAS. In recent years, regulators and government
authorities have recognized the security benefits of ZTS and a few national authorities have started
to issue guidance to encourage the use of ZTS in government and business organizations. Most
organizations are taking a hybrid approach of retaining the network zoning architecture for less
sensitive applications while requiring more sensitive or critical ones to implement the ZTS
architecture to reduce the surface area of exposure. On the other hand, some organizations are
planning to leverage ZTS to reduce their internal network infrastructure footprint and host all
corporate applications on the Internet. This aligns fully with the vision of zero trust.

12 Summary
In this module, we have discussed several models, frameworks, approaches, and strategies for
managing information security, from military to commercial approaches using various security
models, to risk-based approach, responsive security strategy, and a few other supporting tools such
as balanced security scorecards (BSS), and security maturity models (SMM). BSS and SMM are tools
suitable for use in governing the execution of the security management strategy.
Each of these methods have their pros and cons, and in practice, we normally adopt a hybrid
approach using a combination of two or more of these approaches to align to our critical needs.

As highlighted in the introduction module, and the responsive security approach discussion, it is
only with visibility then we can have situation awareness, and with limited resources, we can’t be
doing everything, and so we must prioritize and focus on what is critical to align security with the
business strategy.
In the next module, we will discuss about the organizational and people aspects, including
organizational culture and social psychological behaviors that should be considered in designing
and implementing our security strategy and program.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 50

 References

1. Chantausornsir, W., 10,000 ATMs nationwide hack-prone, in Bangkok Post. 2016, Post Publishing
PCL.
2. Microsoft. Support for Windows XP ended. 2014 April 8; Available from:
[Link]
3. Chu, M.M. 14 ATMs In Three States Were Hacked To Steal Up To RM3 Million. 2014 [cited 2021
August 29].
4. Equifax, Rick Smith, Chairman and CEO of Equifax, on Cybersecurity Incident Involving Consumer
Data. 2017: YouTube. p. [Link]
5. Reuters. Equifax identifies additional 2.4 million customers hit by data breach. Business News
2018 [cited 2021 August 29]; Available from: [Link]
news/equifax-identifies-additional-2-4-million-customers-hit-data-breach-n852226.
6. Tham, I., Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore's worst
cyber attack, in The Straits Times. 2018, Singapore Press Holdings Ltd:
[Link]
pm-lee-stolen-in-singapores-most.
7. Tham, D., Personal data of more than 73,000 patients affected in cyberattack on eye clinic, in
Channel News Asia. 2021, SPH: [Link]
surgeons-clinic-cyberattack-patient-data-camden-medical-2135056?cid=internal_app-web-
view_app_25082021_cna.
8. Thompson, K.B., Solarwinds Corporation Current Report - Pursanat to Section 13 or 15(d) of the
Securities Exchange Act of 1934 (Form 8-K). 2020, United States Securities and Exchange
Commission. p. 3.
9. Kaseya. Incident Overview & Technical Details. 2021 July 7, 2021 [cited 2021 July 8, 2021];
Details of the REvil ransom attack on Kaseya Virtual System Administration (VSA) system that
affected more than 1,500 end customers.]. Available from: [Link]
gb/articles/4403584098961.
10. Sebenius, A. JBS Hackers Took Data From Australia and Brazil, Research Says. Bloomberg 2021
June 8, 2021 [cited 2021 September 27, 2021]; Available from:
[Link]
and-brazil-researcher-says.
11. Panettieri, J. Colonial Pipeline Cyberattack: Timeline and Ransomware Attack Recovery Details.
2021 June 7, 2021 [cited 2021 September 27]; Available from:
[Link]
pipeline-investigation/.
12. ISO/IEC, IS 27001:2022 Information Security Management Systems - Requirements, in
Information security, cybersecurity and privacy protection. 2022, International Standards
Organization (ISO) and International Electrotechnical Commission (IEC)
[Link]
13. Sawyer, R.D., Sun-Tzu: The Art of War. 1994: Barnes & Noble Books.
14. McAlpine, A., The Ruthless Leader: Three Classics of Strategy and Power. 1992, 2000: John Wiley
& Sons, Inc.
15. Bell, D.E. and L. LaPadula, Secure Computer System: Unified Exposition and MULTICS
Interpretation, ESD/AFSC, Editor. 1976, Hanscom AFB, Bedford, MA 01731. p. 134.
16. NIST-CSRC. Early computer security papers (1970-1985), Introduction. [cited 2016 August 28];
Available from: [Link]

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 51

17. Clark, D. and D.A. Wilson. A comparison of commercial and military computer security policies. in
IEEE Symposium Security & Privacy. 1987. IEEE Comp Soc Press.
18. Kang, M.-C., Responsive Security - Be ready to be secure. 1st ed. 2013,
[Link]
Secure/Kang/p/book/9781466584303: Routledge (CRC Press). 237.
19. Parker, D.B., Fighting Computer Crime: A New Framework for Protecting Information. Second
Edition ed. 1998: John Wiley & Sons, Inc.
20. Pfleeger, C.P., Security in Computing. 2nd ed. 1997: Prentice Hall PTR. 574.
21. Brewer, D. and M. Nash. The Chinese Wall Security Policy. in IEEE Symposium on Security &
Privacy. 1989. IEEE Computer Society Press.
22. ISO/IEC, IS 27002: Code of Practice for Information Security Controls, in Information Technology -
Security Techniques. 2013, ISO/IEC.
23. SANS. The CIS Critical Security Controls for Effective Cyber Defense. 2016 [cited 2016 September
4]; Available from: [Link]
24. Schneier, B. How to think about security. Cryptogram Newsletter 2002 [cited 2006 April 16];
April 15, 2002:[Available from: [Link]
25. Schneier, B., Beyond Fear - Thinking Sensibly about Security in an Uncertain World. 2003:
Copernicus Books. 295.
26. Taleb, N.N., The Black Swan. 2007: Pengiun Books. 366.
27. Taleb, N.N., Antifragile - Things that gain from disorder. 2012, New York: Random House. 519.
28. BSI, Part 1: Code of practice for information security management, in BS ; 7799-1. 1999. 1999,
Bristish Standards Instituion (BSI): London.
29. BSI, Part 2: Information security management systems, in BS ; 7799-2. 1999. 1999, British
Standards Institution (BSI): London.
30. ISO/IEC, IS 27001: Information Security Management Systems - Requirements, in Information
Technology - Security Techniques. 2013, ISO/IEC.
31. ISO/IEC, IS 27017: Guidelines on information security controls for the use of cloud computing
services based on ISO/IEC 27002, in Information Technology - Security Techniques. 2015, ISO/IEC:
[Link]
32. ISO/IEC, IS 27018: Code of practice for PII protection in public clouds acting as PII processors, in
Information Technology - Security Techniques. 2014, ISO/IEC:
[Link]
33. Alberts, C. and A. Dorofee, Managing Information Security Risks - The OCTAVE Approach. 2002:
Addison-Wiley. 471.
34. Parker, D.B., Making the Case for Replacing Risk-Based Security, in Enterprise Information
Security and Privacy, W.C. Axelrod, J.L. Bayuk, and D. Schutzer, Editors. 2009, Artech House. p.
116-126.
35. Kaplan, R.S. and D.P. Norton, The Balanced Scorecard - Translating strategy into action. 1996,
Boston, Massachusetts: Havard Business School (HBS) Press. 322.
36. Jaquith, A., Security Metrics - Replacing Fear, Uncertainty, and Doubt. 2007: Addison-Wesley.
306.
37. The Open Group, Open Information Security Management Maturity Model (O-ISM3), in
Technical Standard. 2011, The Open Group.
38. Adams, J., Risk. 1995: Routledge. 228.
39. Schwartau, W., Time Based Security - Measuring Security and Defensive Strategies in a
Networked Environment. Revised ed. 2001: Interpact Press. 181.
40. Bejtlich, R., Where in the world is Winn Schwartau?, in Taosecurity. 2005.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 52

41. Cohen, F. Time-based Security. Managing Network Security 1998 [cited 2006 April 30]; Available
from: [Link]
42. Cohen, A., Cloud-base water content measurement using single wavelength laser-radar data.
Appl Opt, 1975. 14(12): p. 2873-7.
43. Parker, D.B., Risks of risk-based security. Communications of the ACM, 2007. 50(3): p. 120.
44. Gillman, E. and D. NBarth, Zero Trust Networks: Building Secure Systems in Untrusted Networks.
2017: O’Reilly.
45. Rose, S., et al., NIST Special Publication 800-207 - Zero Trust Architecture. 2020, National
Institute of Standards and Technology.
46. IETF, The Transport Layer Security (TLS) Protocol Version 1.3. 2018.

Copyright © 2017-2023, Meng-Chow Kang. All Rights Reserved. 53