The Complex New World of Information Security

The Complex New World of Information Security

David Porter (Detica UK Ltd., UK)
DOI: 10.4018/978-1-60566-132-2.ch002
OnDemand PDF Download:


This chapter discusses the latest developments in the shifting threat landscape and their impact on the world of information security. It describes how we are now moving into a “third wave” of cybercrime, where sophisticated criminals are applying relatively “soft” techniques that are more pervasive in their execution. It argues that, as a consequence, information security countermeasures based on the latest information intelligence technologies will need to be complemented by softer, more pervasive techniques drawn from disciplines such as process engineering, policy development, behavioral science, psychology and benefit management. The chapter also considers how these countermeasures can be fully realized in today’s business environment and concludes by discussing future directions such as the growth in complexity and the rise of the surveillance society. The author hopes that by understanding these new imperatives, information security practitioners will be in a stronger position to protect their organizations from today’s threats — and those of tomorrow.
Chapter Preview


The Rise of the Cybercriminal

With the industrial and mobility revolutions of the 19th and 20th centuries behind us, we now find ourselves in the grip of the 21st century digital revolution. The widespread diffusion of telecommunications and computer technology is now having a profound effect on the way we live. From online banking and shopping through to social networking, the digital revolution is creating entirely new ways of working and socializing as well as challenging, and even destroying, many others.

The world of the financial criminal is evolving in a similar way. To put today’s and tomorrow’s threats in context, let us begin with the recent past. A couple of decades ago the techniques used were relatively “hard” — high on violence and low on intellect — and focused in execution, such as armed robbery and mugging. Traditional security countermeasures comprised of guards, dogs, fences and locks. As the digital revolution gathered pace in the late 1980s, criminals (both existing and newcomers) graduated into cybercrime, where the techniques used were “softer”, requiring more intellect, less muscle and involved a broader range of execution. The new threats included hacking, virus attacks and various forms of electronic fraud involving credit cards, ATMs, checks, mortgages and insurance.

A range of preventative countermeasures similarly involved, such as access control systems comprising firewalls, website/e-mail content scanners and the like. Detection systems based on a body of rules (often wrapped up inside behavioral scorecards) that define the way that fraudsters and money launderers typically carry out their activities were also deployed. These rule-based systems are often founded on the “three Vs” of profiling — the volume, value and velocity (timing) of transactions. Countermeasures also included process controls such as recruitment screening, segregation, supervision and training. In the case of money laundering, much of this centered on the principle of “know your customer”: training front office staff to verify the identity of customers opening new accounts and spot suspicious deposits or withdrawals. Last, but not least, information security standards have been deployed such as ISO17799.

Over the past few years, and into the present, we have seen a “second wave” of cybercrime, where criminals have moved further into “softer” and more sophisticated techniques that are more pervasive in their execution. This has been clearly demonstrated by the significant growth in:

  • the Internet as a general vehicle for committing all kinds of frauds;

  • Card Not Present (CNP) fraud as a result of the move from magnetic stripe to Chip-and-PIN credit cards;

  • identity fraud (application fraud and account takeover) as a result of the significant increase in remote online banking and shopping as well as the indiscriminate publication and sharing of personal information on blogs, instant messaging, wiki pages, file sharing and social networking websites;

  • sleeper fraud in which organized criminals imitate the behavior of genuine customers over an extended period of time, gain as much unsecured credit as possible and then default. This type of fraud is specifically designed to exploit the limitations of traditional record-matching technologies. The perpetrators are experts at distorting information to remain undiscovered until it is too late;

  • insider fraud, where the perpetrators range from temporary contractors to permanent staff and all the way up to the most senior executives. All are in positions of trust and exploit inadequate processes, systems and internal controls. The original “opportunity takers”, or people who exploit gaps in the system through temptation, incentive or pressure, have been joined by “opportunity makers” or professional criminals who have infiltrated a company and are immune to, and will indeed exploit, an organizational culture of trust and caring. Businesses where there are high levels of organizational or process change have been particularly vulnerable as well as those where there is unchecked staff authority, high staff turnover or low staff morale.

A “second wave” of cybercrime countermeasures have been, and are being, developed as a result:

  • multi-factor authentication technologies such as one-shot password generators and biometrics based on voiceprints and fingerprints;

  • insider fraud detection systems that use advanced clustering techniques and supermarket-style loyalty scoring to identify lone individuals that stand out from larger employee clusters because of anomalous behavior that is consistent with classic insider fraud psychology. They are fed by audit trails from key systems such as financial transaction logs, call centre logs, telephone logs, building entry logs, web server logs and print server logs. These are supplemented with records from Human Resources and Finance systems;

  • detection systems based on “unsupervised” data mining methods that analyze large amounts of data in order to work out for themselves what is suspicious without having to refer to a checklist of rules. The output from these systems can then be turned into rule-based form in order to catch the criminals. These have helped banks begin to move closer towards “what we don’t know we don’t know”;

  • cross-industry data sharing to identify criminals before they have a chance to strike, the most significant example being the UK’s Insurance Fraud Bureau;

  • case management systems that are more closely integrated with detection systems and can handle a greater variety of multimedia such as scanned-in images, audio recordings, still images and moving images;

  • e-Discovery, or the process of collecting and searching electronic documents for information relevant to civil litigation;

  • revised information security standards such as ISO27001.

Key Terms in this Chapter

Digital Revolution: The widespread diffusion of telecommunications and computer technology that is creating entirely new ways of working and socializing as well as challenging, and even destroying, many others.

Social Network Analysis: An analytical tool used by investigators to identify, understand and evaluate networks of collaborating individuals across disparate and often unconnected sources of data.

Financial Criminal: A term used to describe thieves, fraudsters, money launderers and other criminals who steal money, usually by deception, from financial institutions and other organizations or alternatively use them to launder the proceeds of serious crime.

Business Resilience: The move to a level of security more normally associated with critical national infrastructure which involves integrating business, technical physical security systems into a single holistic framework.

Identity Fraud: Where someone knowingly assumes a false identity (fictitious, living or dead), with or without consent, in order to apply fraudulently for some kind of credit, service, asset or benefit, or else masquerade as the legitimate holder of an account and steals the account funds.

Social engineering: A collection of techniques used to manipulate people, often via a computer or telephone, into performing acts or divulging confidential information to facilitate the execution of a fraud.

Networked Operational Risk Model: The move to a level of operational risk management that addresses an increasingly complex operational environment through the deployment of a network of interconnected, mutually-reinforcing defenses that utilize advanced information intelligence analytics to detect previously unknown patterns of potentially suspicious activity.

Benefits Realization Management: The process of identifying, recording, tracking and delivering benefits to ensure the ultimate success of a project.

Information Intelligence: The technique of turning large volumes of complex data into relevant and actionable intelligence in order to better manage risk and increase profitability.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
John Walp
Manish Gupta, Raj Sharman
Chapter 1
C. Warren Axelrod
This chapter examines the impact of catastrophes on information security and suggests who might have responsibility for maintaining an appropriate... Sample PDF
Responsibilities and Liabilities with Respect to Catastrophes
Chapter 2
David Porter
This chapter discusses the latest developments in the shifting threat landscape and their impact on the world of information security. It describes... Sample PDF
The Complex New World of Information Security
Chapter 3
Ahmed Awad E. Ahmed
In recent years, many studies have highlighted the unprecedented growth in security threats from multiple and varied sources faced by corporate, as... Sample PDF
Employee Surveillance Based on Free Text Detection of Keystroke Dynamics
Chapter 4
Arunabha Mukhopadhyay, Samir Chatterjee, Debashis Saha, Ambuj Mahanti, Samir K. Sadhukhan
An online business organization spends millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature, and encryption... Sample PDF
E-Risk Insurance Product Design: A Copula Based Bayesian Belief Network Model
Chapter 5
Guoling Lao
E-commerce mode aggravates information asymmetry so that honesty-credit problems become more serious. This chapter discusses the honesty-credit... Sample PDF
E-Commerce Security and Honesty-Credit
Chapter 6
Zhixiong Zhang, Xinwen Zhang, Ravi Sandhu
This chapter addresses the problem that traditional role-base access control (RBAC) models do not scale up well for modeling security policies... Sample PDF
Towards a Scalable Role and Organization Based Access Control Model with Decentralized Security Administration
Chapter 7
Chandan Mazumdar
There has been an unprecedented thrust in employing Computers and Communication technologies in all walks of life. The systems enabled by... Sample PDF
Enterprise Information System Security: A Life-Cycle Approach
Chapter 8
Peter O. Orondo
Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT... Sample PDF
An Alternative Model of Information Security Investment
Chapter 9
George O.M. Yee
The growth of the Internet is increasing the deployment of e-services in such areas as e-commerce, e-learning, and e-health. In parallel, the... Sample PDF
Avoiding Pitfalls in Policy-Based Privacy Management
Chapter 10
Supriya Singh
Enabling customers to influence the way they are represented in the bank’s databases, is one of the major personalization, responsiveness, and... Sample PDF
Privacy and Banking in Australia
Chapter 11
Madhusudhanan Chandrasekaran, Shambhu Upadhyaya
Phishing scams pose a serious threat to end-users and commercial institutions alike. E-mail continues to be the favorite vehicle to perpetrate such... Sample PDF
A Multistage Framework to Defend Against Phishing Attacks
Chapter 12
Ghita Kouadri Mostefaoui, Patrick Brézillon
In recent years, the security research community has been very active in proposing different techniques and algorithms to face the proliferating... Sample PDF
A New Approach to Reducing Social Engineering Impact
Chapter 13
Yang Wang
Privacy-enhancing technologies (PETs), which constitute a wide array of technical means for protecting users’ privacy, have gained considerable... Sample PDF
Privacy-Enhancing Technologies
Chapter 14
Douglas P. Twitchell
This chapter introduces and defines social engineering, a recognized threat to the security of information systems. It also introduces a taxonomy... Sample PDF
Social Engineering and its Countermeasures
Chapter 15
Tom S. Chan
Social networking has become one of the most popular applications on the Internet since the burst of the dot-com bubble. Apart from being a haven... Sample PDF
Social Networking Site: Opportunities and Security Challenges
Chapter 16
James W. Ragucci, Stefan A. Robila
Fraudulent e-mails, known as phishing attacks, have brought chaos across the digital world causing billions of dollars of damage. These attacks are... Sample PDF
Designing Antiphishing Education
Chapter 17
Serkan Ada
This chapter discusses the recent theories used in information security research studies. The chapter initially introduces the importance of the... Sample PDF
Theories Used in Information Security Research: Survey and Agenda
Chapter 18
Samuel Liles
Information assurance education is an interdisciplinary endeavor that only when taken as a holistic and inclusive educational activity can be... Sample PDF
Information Assurance and Security Curriculum Meeting the SIGITE Guidelines
Chapter 19
Gary Hinson
This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by... Sample PDF
Information Security Awareness
Chapter 20
Nick Pullman, Kevin Streff
Security training and awareness is often overlooked or not given sufficient focus in many organizations despite being a critical component of a... Sample PDF
Creating a Security Education, Training, and Awareness Program
Chapter 21
E. Kritzinger, S.H von Solms
This chapter introduces information security within the educational environments that utilize electronic resources. The education environment... Sample PDF
Information Security Within an E-Learning Environment
Chapter 22
Donald Murphy, Manish Gupta, H.R. Rao
We present five emerging areas in information security that are poised to bring the radical benefits to the information security practice and... Sample PDF
Research Notes on Emerging Areas of Conflict in Security
Chapter 23
C. Orhan Orgun
This chapter develops a linguistically robust encryption system, LunabeL, which converts a message into syntactically and semantically innocuous... Sample PDF
The Human Attack in Linguistic Steganography
Chapter 24
Sérgio Tenreiro de Magalhães, Kenneth Revett, Henrique M.D. Santos, Leonel Duarte dos Santos, André Oliveira, César Ariza
The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the... Sample PDF
Using Technology to Overcome the Password's Contradiction
Chapter 25
Antonio Cerone
Reducing the likelihood of human error in the use of interactive systems is increasingly important. Human errors could not only hinder the correct... Sample PDF
Formal Analysis of Security in Interactive Systems
Chapter 26
Tejaswini Herath
It is estimated that over 1 billion people now have access to the Internet. This unprecedented access and use of Internet by individuals around the... Sample PDF
Internet Crime: How Vulnerable Are You? Do Gender, Social Influence and Education play a Role in Vulnerability?
Chapter 27
Jarrod Trevathan
Shill bidding is where spurious bids are introduced into an auction to drive up the final price for the seller, thereby defrauding legitimate... Sample PDF
Detecting Shill Bidding in Online English Auctions
Chapter 28
Carsten Röcker, Carsten Magerkurth, Steve Hinske
In this chapter we present a novel concept for personalized privacy support on large public displays. In the first step, two formative evaluations... Sample PDF
Information Security at Large Public Displays
Chapter 29
Yuko Murayama, Carl Hauser, Natsuko Hikage, Basabi Chakraborty
The sense of security, identified with the Japanese term, Anshin, is identified as an important contributor to emotional trust. This viewpoint... Sample PDF
The Sense of Security and Trust
About the Contributors