Chapter 6 - Management of Information Protection

Chapter 6 - Management of Information Protection

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

Because the protection of information is an ongoing activity that we have to pursue in order to prevent harm, it must be managed just like any other activity. The key issue in the management of protection is making rational decisions about the allocation of fiscal resources. The key element in this decision making process is the analysis of cost/benefit tradeoffs. In the case of information protection, this primarily involves the analysis of risks and the techniques which may be used to reduce them.

In many cases, people do damage to themselves by being more defensive than the risk justifies. A typical example involved a defendant in a commercial law case who slandered the suing attorney rather than pay a $25 bill. The attorney turned around and sued the defendant for defamation of character. Just the legal fees involved in defending against this suit can run into thousands of dollars. This is a clear case where harmful effects of information could have been prevented through a proper degree of self restraint.

The details of the cases may differ, but the basic concept of risk management remains the same. The benefits must be weighted against the costs in order to make sensible decisions. In information protection, there are some seemingly insurmountable difficulties in making sensible decisions. The first major difficulty lies in the attainment of an objective opinion of costs and benefits; the second major difficulty is the attainment of accurate data upon which to base analysis; the third major difficulty is the selling of protection within an organization; and the fourth major difficulty is demonstrating that the protection was justified after the fact.

The defendant in the above case was not objective about the ramifications of his decisions because he was charged with the fervor of the moment. He was upset at what he thought to be a gross inequity, and felt bound to fight for a principle no matter the cost. Their are probably many principles worth preserving at all costs, but the one in question was probably not one of them. It seems to be the general case that the violation of private information is viewed in a very personal manner. The alternative is to get impartial outside opinions.

In court cases, it is difficult to determine what the outcome will be ahead of time because there are a large number of random events that may effect a case, and because there is no current method for objectively assessing the value of using different arguments in court. Similarly, there is no objective method, at present, of assessing the probability of attacks or the real value of information assets. We are left with some objective bounds on values, and a great deal of subjective speculation. A well known security expert is quoted as jesting that 'Only 15.8% of all computer crimes are ever detected.' Thus even if we kept very accurate statistics on attacks against information systems, the attainment of accurate data upon which to base analysis would be highly speculative.

In the ensuing actions, our defendant made a strong case for the propriety of his own actions and the impropriety of the attorney's actions, but he had a hard selling job at hand. He managed to sell himself, and that was enough to go ahead with his case, but he had a hard time selling it to the judge. His hard time was due to a lack of sufficient homework. He thought that his basis for defense was firm, but it ignored a great deal of historical data, had insufficient supporting evidence, and his arguments were not well presented.

What is even more disconcerting is that if he had won the case, he would have thought that he did a good job, even though he did not, and if he had lost the case, he would have thought that he did a good job, but that it just didn't turn out the way it should have because of a fluke. The problem here is that, in most cases, there is no firm way to establish after the fact that protection has or has not been cost effective. In the exceptional case where proper protection provides adequate coverage of an otherwise catastrophic event and the demonstration of that success is well touted within the organization, an argument can be made for the virtues of protection and the propriety of decision making. In the exceptional cases where protection is obviously lacking and fails to cover a critical contingency that results in an obviously catastrophic event, the case can be equally well made for the inadequacy of protection and the impropriety of decision making. Unfortunately, most catastrophic events that might have happened without protection, and catastrophic events that happen due to a lack of protection go unnoticed. If 84.2% of all attacks go unnoticed, we can multiply the noticed events by 6.33 to improve our accuracy, but at best, our estimates are just shots in the dark. How can we know precisely how much we don't know?

What we are left with is a case of survival of the fittest. Those who make the best decisions will best survive, and those who make the worst decisions will likely die out. Perhaps we should take our lessons from those who have survived the longest in the field of information protection (although not without their share of incidents), the military.


1 - Perform a sample risk analysis of a PC based system in a typical office environment. Get numbers where appropriate by investigating the literature for reasonable approximations. Write a simple program to perform this analysis for any set of data and to automatically suggest the most cost effective sequence of protection measures.

2 - List three reasons that estimating the likelihood of an event is difficult. Suggest management methods by which this difficulty can be reduced.

3 - Design a management structure for protection of a facility which supports 25 engineers and researchers with high performance individual work stations and a network file server in a downtown office building. Assume characteristics of the hardware and software based on present technology. What sort of budget items are critical to protection management? How many people are likely to be needed for the protection function? What types of people? How do you go about finding the answers to these questions? Suppose you are in the position of being responsible for this structure and are personally liable for bad judgment. Does this effect your decision? How?

4 - I suspect that a user on my UCB is abusing privileges by placing illicit code in libraries.

5 - Suppose a system administrator was having problems with unauthorized users gaining access to confidential information. What actions would be most appropriate in the short run? In the long run? What would be the most likely problems to suspect? How would you go about finding them? Where do you start?

6 - I have an A1 TCB which I wish to connect to with a set of PCs distributed throughout the building. The PCs are running the DOS operating system, and communicate to the TCB using their RS232 interfaces.