Risk Mitigation Techniques in Information Security

Risk mitigation is a salient issue in risk management. With the ever-changing technology, treats and breaches are unavoidable especially when there is vulnerability. There are various risk mitigating techniques. This paper reviews various literatures and evaluates two basic approaches to mitigating information risks, specifically in the Bring Your Own Device environment. The BYOD system is seen as productive, flexible and efficient for employees. And the organization see it as cost effective, but BYOD is a treat inviting system to the organization’s data. According to this paper, one of the risk mitigation techniques explained is the Information Security Awareness System. Security awareness programs or trainings in many organizations are not continuous, but when a system is put in place it makes the security awareness a routine for the system management. Another one is the Device Management which makes the management supervise the compliance to the corporate policies of devices used by employees in an organization. After describing the two different techniques, the paper tends to bring out gaps, limitations and implications of these techniques. The evaluation shows that both these two approaches are good for an organization but has their ugly side of the story. The employees are key to any of the techniques, as they are affected in some cases and dangerous in some other. Keywords: risk mitigation, bring your own device, information security, awareness, device.

Introduction

Risk mitigation is one element of risk management, and its implementation will differ by organization. Risk mitigation focuses on the inevitability of some disasters and is used for those situations where a threat cannot be avoided entirely. Rather than planning to avoid a risk, mitigation deals with the aftermath of a disaster and the steps that can be taken prior to the event occurring to reduce adversity, and potentially long-term, effects. Currently, most researchers focus on risk assessment but tend to ignore the risk mitigating aspect. This makes risks in Information Security get assessed but not mitigated or reduced since risk mitigation is quite complex and full of uncertainty. Therefore, it is crucial to address risk mitigation techniques or strategies used by organizations in information security, probably to maintain their competitiveness, eliminate the risk of being compromised or to reduce this risk to an acceptable level. This paper tends to critically evaluate two common mitigating techniques of risk in a Bring Your Own Device (BYOD) environment. The BYOD concept really enhances the employee’s functionality and makes the corporate information and organization’s data readily available to them on their personal devices.

Mitigating Information Security Risks Through Information Security Awareness System

The National Institute of Standards and Technology (NIST) defines information security “awareness” in the Special Publication 800-16 as follows: “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance”.

This definition explains the difference in awareness and training program, as the conveyed information targets different kinds of audience, who would use it at different levels. Because of the limitations of the awareness program, a sound ISAS (Information Security Awareness System) needs to contain interactive learning materials. Transmitting information about security breach incidents is not enough, because a user needs to be able to respond to the incidents as doing so can facilitate improving the security awareness of a user and transferring security knowledge. The literature explains that there should be five components in the structure of an ISAS and they are;

1. System Management. This section of the ISAS regularly manage system contents such as discussion topics and contents, news, and articles using the system management components.
2. User Management. This section helps the system manager to maintain users’ data and confidential information and store them in a central place.
3. Incident Management. This component gives the system manager the ability to modify, maintain, and manage incidents using wizards and templates.
4. Awareness Activity Management. This section allows the system manager to add and delete awareness activities as well as easily create new projects. For example, a system manager can upload files to the database server, so users can browse through activity files.
5. Evaluation Management. Here, a system manager can get information concerning participation behavior and performance records for each participation activity.

It is suggested that an Information Security Awareness System (ISAS) can be built to enhance electronic learning (e-learning) methods to deliver security awareness concepts. The literature explains that in terms of actual learning delivery, e-learning includes strategies such as computer-based learning, web-based learning, and distance learning. Although, many believed that the e-learning is efficient, has a low cost and a short amount of time for workers to learn, so, organizations should be more concerned on the effectiveness of what the e-learning delivers. In terms of security awareness, the concept of information security is a multidimensional one that includes authorization, authentication, confidentiality, data integrity, availability, and recovery.

Device Management Strategy of Mitigating Risks

ENISA used inputs and comments from a group of experts from industry and academia and public organizations. The experts have been selected according to their engagement around security in emerging technologies, security in Bring Your Own Device (BYOD) and Consumerization of IT (COIT). Although, the ENISA approach to mitigating risks in information security is proposed and not tested.

1. Mobile Device Management MDM suites. Mobile device management (MDM) suites emerged in the last few years as key solutions for BYOD. Organizations use MDM security software to centralize management and control of the employees’ devices.
2. Compliance of user device configuration with corporate security standardsHere, organizations should allow only certified devices the access to the corporate network. A way to make sure of that is to have the corporate IT staff examine the devices to ensure that their configuration is secure and in compliance with corporate standards and policies.
3. Incentive-driven usage of devices running approved OS and application software. Many employees’ device uses customized or jail broken versions of software, which may induce security risks. Organizations should offer to pay part or all of user mobile device costs when they use a device that complies with the organization security policies.
4. Usage of devices that can enforce network-propagated policies and restrictions. Secure configuration of device may not be enough to ensure its total security, because many threats are propagated through the networks. To mitigate the possible threats, the devices should run software that can enforce policies and procedures when it receives such commands from the corporate servers.
5. Network segmentation according to security levels. Here, the corporate network should be segmented into different divisions, in which only users from the respective profiles will have access to applications/data of their level.

Limitations and implications of these techniques

The MDM might be a very good mitigating technique in data security but would also be a very big privacy issue for the employees. A very big truth is that MDM offers significant insights into employees’ device activities at any given time. IT teams are also given the authorization to perform various actions on employee devices such as wiping data remotely, locking devices, monitoring employee locations for corporate security reasons and lot more. Incentive and rewards could be a good way of motivating an employee to adhere to the corporate policies and standards, but not everyone see things alike – “the use of rewards is individual: what may work as reinforcement for one person may not work for another person Considering employees’ attitude and intention toward actual compliance”. Habit is a usual or way of behaving. Habit is an unconscious and automatic act, habits affect an employee’s intention to comply with IS security policies. Too many security standards and policies could affect employee’s behavior and productivity which could also be risky to the organization. A generic problem of information security is compliance with standards and policies. Insider threat to information security could be another big problem. Giving an employee too much knowledge about data security could be dangerous. Although these techniques could use a trust and verify approach, the trust could be impossible to measure.

Conclusion

Information of an organization is a great asset which should be safe and secure. The paper as described the gaps in these techniques as basically employee’s compliance and trust, therefore organizations could make device available for employees or corporate network users. This would make device compliance the organization’s responsibility and take the employee’s device compliance problem out of the book. Truly, everyone needs to be security aware as it would help have knowledge of what you should and should not concerning security. But, organizations could use more of technology to mitigate risks as human’s attitude towards awareness might not be quantifiable or reliable.