The problem to be solved is now identified, and motivation has been given for the research topic, which is the first phase of the DSRM process described by Peffers et al. (2007). Effective implementation of information security has proven to be difficult, although the efforts are justifiable.
Information security management in practice can be defined as implementation of managerial and technical controls that are selected in risk management process and are integrated into organization’s business processes.
Effective implementation calls for the buy-in to happen on all levels, from top management down to system users and developers. Positive net benefits such as cost, and time savings can be achieved from adopting information security as a goal along with direct business objectives.
Organizations should be more aware of threats and exploitable vulnerabilities in their information system assets. Theoretically, if one excludes the threat or vulnerability from risk calculation, there will be no more risk. From the reviewed standards it can be concluded that systematic risk management is a key information security process, because risk assessment and risk management are prerequisite for selection and implementation of security controls. One cannot select and implement controls effectively without understanding the risks. Risks also include the future risks that cannot be derived from the past which requires an external attacker to simulate future risks.
Elimination of all risks has proven to be impossible. Therefore, identification of emerging threats and response to them is of paramount importance in dynamic field of information security. Real world attack simulations can be used to test organizations security matureness, especially on technical level. This calls for actionable intelligence, funding, capabilities and trusted security experts to conduct testing. (Caron, 2019)
In the following chapters the relationship of threats, risk management and red teaming will be explored in the framework of information security. At this stage a justifiable assumption can be made that recognition of threats is a key driver for better information security.
In the NIST Special Publication 800-53 (2013) the word “life cycle” appears 77 times. On 56 occasions it relates to the importance of integrating information security and security controls already during the information system development. Information security risk management process should be integrated into system development life cycle.
Some key terminology and distinctive phases on building and maintaining information security are reoccurring among the literature. Therefore, a comparison matrix is presented on the table below. This table was created to elaborate the information security and risk management terminology and find similarities and differences of information security and risk management processes. Phases from different sources are in the same order as presented in the original documents. Therefore, the rows are not comparable by substance due to differing scope of the source documents.
TABLE 3 Information security and risk management terminology matrix.
Phase Knapp et al.
3 Policy
implementation Operation Assess Security
Controls Risk treatment and residual risk reporting 5 Policy
enforcement Security review Performance
evaluation Authorize
Conclusion is that information security, whether looking at the overall effort or the policy development, should be cyclic by nature, risk driven and closely related to business objectives. Fusion of the comparison matrix is presented in the figure 15. below.
FIGURE 15 Cyclic risk driven information security process.
In the following chapters red teaming is introduced and defined in context of cyber security and information security. Red teaming will be reflected to the comprehensive organizational level process by Knapp et.al (2009), with an addition that information security is cyclic, and risk driven.
4 RED TEAMING IN CYBER SECURITY
“Everyone has a plan until they get punched in the mouth.”
- Mike Tyson –
This chapters’ title mentions cyber security, even though chapter 3 is about information security. These two terms are overlapping and not totally analogous.
Information security as a term does not always cover all the aspects that cyber security does and vice versa. (Von Solms & Van Niekerk, From information security to cyber security, 2013). The combining factor is that both use information communication technology (ICT). Information security might handle assets that are not computerized and cybers security can handle non-information-based assets which are vulnerable to attacks but are stemming from the use of ICT. Example like cyber-bullying where CIA-triad is not compromised in any way, but the bullied person is via ICT. (Von Solms & Van Niekerk, From information security to cyber security, 2013)
This is a descriptive chapter which builds to the environment and knowledge base sections in information systems research framework (Hevner et al., 2004). In the design science research methodology process this chapter comprises a part of phase 2; defining objectives of a solution by introducing cyber security, advanced persistent threats, penetration testing and bug bounties. Part of phase 3; design and development of the construct (Peffers et al., 2007) is also covered along with exaptation in DSR knowledge contribution framework, which means extending known solutions e.g. red teaming to problems i.e.
information security management (Gregor & Hevner, 2013).
US’s Director of the national intelligence has defined cyber threats as the first in their list of global threats in its worldwide threat assessment 2018 (Director of the national intelligence, 2018). Nowadays cyber threats are widely studied and recognized as one of the main elements in modern cybercrime by EUROPOL (EUROPOL, 2018).
Advanced persistent threats (APT) as a term has surfaced around 2006 (Binde et al, 2011) and the attackers are constantly developing their techniques and adapting to defences (Daly, 2009; F-Secure, 2018). This makes the external attackers to be important topic to be viewed. Sophisticated insider threats started to draw attention in the same time also (Duran, Conrad, Conrad, Duggan, & Held, 2009; Willison & Siponen, 2009) forcing the defender to turn attention to inside the organization as well. These are the reasons that red teaming is needed in cyber security to emulate the modern attacker and create better technical protection, processes, response actions and training to mitigate evolving cyber threats from inside and outside.