This chapter describes the concept of information availability (IAV) which is considered an important element of information security. IAV is defined as the ability to make information and related resources accessible as needed, when they are needed, where they are needed. In the view of the authors, this notion encompasses more than just making sure that the information technology (IT) infrastructure is technically adequate and continuously available, but it also emphasizes other often-ignored attributes of IAV, such as appropriate policies and procedures, an effective security policy, and the establishment of a workable business continuity plan. Thus, the goal of the chapter is to define IAV in the context of information security and elaborate on each of these first and second order determinants of information availability.
As the Internet has matured, enterprises have leveraged information technology (IT) to enhance their operations and improve the services to which consumers have access. The marketplace has embraced these new capabilities, and many consumers now depend upon these services on a daily basis. To meet consumer demands, many businesses now require critical information systems (IS) be online 24 hours per day, seven days per week, and 365 days per year. Due to this increased dependency, the availability of critical IT resources has assumed new importance. While availability is not a new attribute of information, it has dramatically grown in its importance because of the criticality of systems that are now operating in a distributed computing environment. According to recent estimates, the cost of unavailability is astounding and ranges from $1 to 3 million per hour depending upon the industry sector (Ontrack Data International, 2006). Enterprises require that availability be provided with the same certainty associated with confidentiality and integrity. Therefore, proactive steps need to be taken to mitigate risks that could result in unavailability and procedures need to be in-place to respond to an event that threatens to degrade availability.
Security professionals have developed several protocols, tools, and techniques in an attempt to achieve three generally accepted information attributes (i.e., confidentiality, integrity, and availability), thereby resulting in enhanced Information Security (INFOSEC) (Jonsson, 1998). A system’s effectiveness is improved by INFOSEC in that the attributes provided offer defensive capabilities (Maconachy, Schou, Ragsdale, & Welch, 2001). These defensive capabilities are necessary, because information has real value (Denning, 1999) and an organization cannot afford to stand by while its information is made unavailable by natural disaster, hardware or software malfunction, or accidental or intentional loss of resources or data (Hutt, Bosworth, & Hoyt, 1995, pp. 16).
While Information Availability (IAV) is well-established as an attribute required for INFOSEC, few security researchers and practitioners have chosen to address IAV with the same enthusiasm as the other security attributes. INFOSEC researchers and practitioners were, and remain, most concerned with maintaining confidentiality and integrity of the information. According to Hosmer (1996), information availability remains mostly misunderstood and unresearched because of the seemingly endless number of potential factors that can impact the availability of information. Hosmer argues that the current availability paradigm is inadequate and emphasizes that social threats as well as technical threats add to the multifaceted nature of IAV. Furthermore, communications protocols were designed to make information and resource sharing possible; INFOSEC emerged afterwards. IAV was treated as a function of bringing-up an IS and in terms of a user having access to that system. Initially, access was controlled by physical barriers and obstacles. As networking became more popular (and anyone with a computer, a modem, and the knowledge of the operating system (O/S) could remotely access an IS), the need for INFOSEC emerged. IAV was a prerequisite; therefore, INFOSEC researchers and practitioners needed to develop methods and procedures of maintaining confidentiality and integrity. This security paradigm was necessary, but never truly sufficient. For example, if an IS did not have enough modems, then users would receive a busy signal. If the IS was offline, then users could not access the IS. Users accepted the technological constraints of the time, but as technology has improved dramatically over the past decade, and IT resources have become more reliable and pervasive, it seems that the user’s tolerance level for downtime has decreased.
Key Terms in this Chapter
Redundancy: The ability of an organization to reconstruct an information element to its last state before disruption and having capabilities to connect to its information resources despite disruptions. The goal of redundancy is to minimize unavailability by utilizing redundant capabilities for restoring the capabilities of an organization’s systems.
Auditing: Process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently
Operational Controls: System rules and guidelines necessary to manage the day-to-day activities that occur within an enterprise’s information resources.
Backup: Copy of files and programs made to facilitate recovery if necessary.
Information Availability (IAV): The ability to make information and related physical and logical resources accessible as needed, when they are needed, and where they are needed.
Redun dancy: Having an information element stored redundantly or having the ability to reconstruct an information element.
Timeliness: The responsiveness of a system or resource to a user request. In fact, traditionally information availability has mostly been measured by the amount of time an information resource is either processing or not (uptime and downtime).
Business Continuity Planning: A key component of any enterprise’s plan to maintain operations in the event of a catastrophic event such as a natural disaster or a network attack. It also includes planning for backup operations and post-disaster recovery, to ensure the availability of critical resources.
Security Policy: A documented high-level plan for organization-wide computer and information security.
Accessibility: The degree to which a system is usable by as many people as possible without modification and is characterized in terms of the ability of users to have physical access to the system, the nature of users’ interface with the system, and the ability to physically retrieve potentially relevant information.
Reliability: The degree to which a system performs its purpose for the period of time intended under the operating conditions encountered.
Systems Monitoring: Monitoring system performance provides the stakeholders of the enterprise with measurements of how the information resources are operating and allows security professionals to identify potentially unauthorized activity and implement real-time defensive countermeasures to minimize the system’s exposure to potential loss.
Physical Security: Protecting building sites and equipment from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage.