Information Security Design Principles for Adaptive Organizations Sharman Lichtenstein

0 nformation security represents a very real threat to systems exist- ing in new types of organiza- tional structures termed

adaptive organizations, where many key requirements for success differ from those for older, rigid, stable organizational structures. This article examines the suitability of traditional information security design principles with respect to adaptive organizations, and indicates the need for a revised set of information security design princi- ples for such organizations.

Introduction Information security design is guided by a set of principles for the systems designer or analyst to use in the selection, design and evaluation of appropriate controls. These principles evolved from principles for physical security, business accounting security, computer security, and operating sys-

tem security. A well-accepted exem- plar of information security design principles is the set of twenty-three principles proposed by Wood’. These and earlier sets of principles were founded on traditional information security concepts which assumed ri- gid, stable, traditional organizational

structures. Baskerville* has shown that information security itself represents a significant threat to systems in adap- tive organizational structures, where many key requirements for successful operation differ from those for older, rigid, stable structures. He argues that traditionally-designed information se- curity does not appear to be well-

Computer Audit Update l June 1996 :c 1996, Elsevier Science Ltd.

R

suited to adaptive organizational struc- tures.

Information security design principles Woodi defined twenty-three princi- ples for information security design. These represent information security concepts which in fact evolved during periods of relative organizational sta- bility. The earliest principles were based on general physical security, that is, the protection of assets from physical threats3. Later sets of informa- tion security design principles sprung from the domain of computer security, p4 particular operating system security ’ ’ . Researchers who have contribu-

ted to the development of information security design principles include Salt- zer and Schroeder’, Gaines and Sha- piro’, and Parker3’*. However, Wood’s principles are viewed as the most recent exemplar for information sys- tem security design, and have thus been adopted as a suitable set to evaluate for their applicability to a specific class of organizational struc- tures.

Wood’ s twenty-three principles are outlined below:

Cost-effectiveness: The ‘owner- of-the-information’ view of cost-effec- tiveness states that the cost of a control should be less than the asset loss cost. The perpetrator view of cost-effectiveness states that the cost to compromise a control should be greater than the value of the reward if the compromise is successful.

Simplicity: Controls should be simple to develop, operate and use.

Override: Steps should be able to be taken to override controls tempora- rily when required.

Overt design and operation: Controls should be designed as overtly as feasible, without undue reliance on the secrecy aspect.

Least privilege: Users should be granted the least access privileges necessary for performance of their jobs (typically “Need-to-Know” ac- cess).

Entrapment: Controls are per- mitted to aim to trap people into incriminating themselves.

Independence of control and subject: ‘Ibe person(s) who develop a control should not be the person(s) controlled by the control.

Universal application: A control should be applied uniformly and com- pletely over the relevant domain. There should be no exceptions to the application of controls.

Acceptance of control subjects: Controls should be well-accepted by users.

Sustainability: Controls should be robust and enduring over time.

Auditability: Controls must gen- erate evidence to demonstrate their correct operation.

Accountability: Specific users must be assigned individual responsi- bility for specific controls.

Defensive depth: Controls should be layered to provide depth of control.

Isolation and compartmentali- sation: Information resources should be grouped and separated to minimise the extent of the information resource loss.

Least common mechanism: Minimise reliance on an important system component which may be- come unavailable.

Control the periphery: Controls should concentrate on detection and prevention at the point of attempted break-in.

Completeness and consistency: Controls should cover all possible compromise attempts, and should op- erate frequently and regularly.

Default to denial: When a control

: u Computer Audit Update l June 1996 0 1996, Elsevier Science Ltd.

fails, access should be denied to users and to other entities requesting ser- vice.

Parameterization: Variable con- trols provide greater flexibility and effectiveness.

Hostile environment: Design controls for an environment where the users may not be trustworthy.

Human involvement: People, as well as computers, should act as controls by being involved in security decisions.

Secure image: The system should appear secure to the public, because to appear vulnerable encourages at- tack.

Low profile: The company should present a low profile to the public, in order to conceal the existence of valuable information resources. This minimises the chances of attack.

A few observations about these principles in general should be made. Firstly, there are relationships between the principles. For example, cost- effective controls tend to be simple controls. Secondly, Wood emphasised that not all the principles are equally

applicable in a given environment. For example, a military establishment is more of a ‘hostile environment’ than a school is, and its controls may need to be less ‘simple’ as a result. Thus, using the principles as guidelines for con- trols selection, design and evaluation in information security development and management requires careful ana- lysis, experience and good judgement.

Adaptive organizations and information systems The fundamental requirement of adaptability for the success of an organization in the rapidly changing environments of the 1990’s has been discussed by many authors, including Galbraith et al. ‘, Hammer and Cham- p$, Pascale”, Pasmorel’, Peters 122’3. Senge14, and Toffler15. Organizations have begun to break away from past bureaucratic, hierarchical and rigid structures, and to move towards non- rule-based, flatter and more flexible structures.

Burns and Stalker I6 were early researchers in these types of organiza- tions, naming organizations which could adapt to a changing environ- ment “organic”. Bennis I7 discussed “organic-adaptive” organizations, and later Toffler ** coined the term “ad- hocracy” to describe such organiza- tions.

Since then, many authors have discussed organizations which can be termed adaptive organizations, exhibit- ing the following common trait: the ability to succeed in today’s changing, highly competitive, global environ- ment by supporting rapid, innovative adaptation to change, both internally and externally. The adaptive organiza- tion has only one program with a single objective - change which leads to constant improvement in all busi- ness aspects. These organizations are assertive, actively seeking out oppor- tunities to exercise their flexibility and capacity to respond quickly to chan- ging needs. Adaptive organizations which identify trends and generate choices by learning from their experi- ences are termed “learning” organiza- tions

An adaptive organization is fluid in that it does not have a fixed structure. Flexible, informal, decentralised orga- nizational structures enable the cross- ing of internal, functional boundaries

Computer Audit Update l June 1996 ,c 1996, Elsevier Science Ltd.

0 I co 0

as well as organizational boundaries, by constantly changing teams composed of employees and external parties such as suppliers and customers. Employees are empowered by being allowed to contribute to decision-making, by pro- viding rapid problem resolution in innovative and creative ways, and by being encouraged to evaluate work processes and suggest improvements. They are trained in a variety of skills, in order to enhance their ability to contribute to the organization, thereby forming a multi-skilled resource pool from which the best possible project team for each new project is selected. Such employees are able to survive in the predominant atmosphere of con- stant organizational change.

Experts in the specialised skills and knowledge required for the task direct the task, rather than management. Real responsibility is given to employees. The leadership role of management in adaptive organizations is to support, revitalise and encourage employees, rather than to control them. This kind of management enables employees to criticise, evaluate and experiment, and to develop new skills through the provision of training. Employees also develop the self-confidence required to thrive in a constantly changing organization.

Traditional organizations, on the other hand, are characterised by hier- archical, bureaucratic structures, with formal rules and an orderly, static structure and nature. They are asso- ciated with large, simple, stable indus- tries, and are stable in strategy, structure, human resource patterns and management. Managerial styles are controlling, and personnel status is associated with rank and title. Employees are controlled by formal rules and procedures and vertical management, resulting in standardised performance. Power is centralised, there is high division of labour and job specialisation, and communication is top-down and impersonal.

The organizational types discussed

‘mputer Audit Update l June 1996 1996, Elsevier Science Ltd.

by Mintzberg” and Robbins*’ indeed fall into one of the two fundamentally different classifications described above. Traditional organizations in- clude simple, machine, functional, divi- sional, professional, missionary, and political organizations. Adaptive orga- nizations include matrix, task-force, network and innovative organizations. Adaptive organizational structures are still regarded as an ideal rather than a reality, although the numbers of such organizations are growing.

Information systems associated with traditional organizations tend to be predictable, stable and rigid, whereas those associated with adap-

tive organizations tend to be unpre- dictable, short-lived and flexible. Experts such as Peters13 indicate max- imum system lifespans of two to three years. Baskerville’ argues that informa- tion systems for adaptive organizations require the characteristic of spontane- ity in order to achieve the flexibility required to enable fast changing of processes and data as required, and on demand.

Information security needs for adaptive organizations Baskerville* asserts that the structure and order added to information sys- tems by traditional information secur- ity “can inhibit severely the information spontaneity that is neces- sary for rapid organizational adaptation

and consequent organizational survi- val”. All structures, including controls, inhibit organizational change.

He argues that:

organizational change brings chan- ging information security needs which, if implemented in the tradi- tional way (i.e. using traditional information security design princi- ples) would impose structure, thereby destroying flexibility;

risk-based controls selection based on impact cost and likelihood of occurrence is of reduced useful- ness, both because cost estimates will be less accurately assessable, and because any selected controls incur intangible costs to system spontaneity (these costs would not have been taken into account in the risk analysis);

flexible controls are required to cater for changing process and data requirements;

controls “must make unpredictable, yet correct, decisions about what constitutes allowed behaviour”, thus emphasising “logical, small- scale and sociologically-based” con- trols;

people must act as the essential system controls, as people possess the ability to be flexible, whereas technological controls do not;

controls should be reusable, in order to minimise time and ex- pense in new control development;

authority for system security must come from the lowest level of the organization.

Hammer and Champy9, as a compo- nent of their reengineering recom- mendations, believe that there should be reduced checks, controls, and reconciliations, for more efficient in- formation security. Anderson2’ and others have highlighted the increased importance of availability and integrity, relative to confidentiality, for today’s commercial systems. This is because

spontaneity demands availability and integrity. Pau12’ points out that the more user-friendly a system is, the less cost-effective preventive controls will be, as it is unrealistic these days to expect to be able to prevent all unauthorised accesses technologically. He therefore recommends detective controls rather than preventive con- trols, for open systems.

Baskerville2 proposes steps for im- proved information security, including:

l increase the reliance on people for control;

l increase the role of logical safe- guards;

l promote temporary, throw-away security;

l co-opt additional security staff;

l disperse security authority;

l upscale the security training cap- ability;

0 reorganize security staff;

l develop an adaptive security frame- work;

0 review overall organizational trends.

Extending the above concepts to a vision of information security for an adaptive organization, one can envi- sage a toolbox of control modules, each module being highly cohesive (i.e. possessing one and only one function, e.g. authentication by pass- word), and with minimal coupling between modules. Some controls will be designated as baseline controls, and these should be selected by qualitative

Computer Audit Update l June 1996 IC, 1996, Elsevier Science Ltd.

III

risk assessment techniques, for exam- ple checklists. People with profes- sional expertise in the specific situation requiring information secur- ity will select further controls as required, again using qualitative risk assessment techniques. Each control will be robust, and as reusable as possible.

Control modules may be selected and deselected for an information system as required. The modules themselves will be highly maintainable, due to their high level of cohesion and low level of coupling. Some modules may be logical in nature, whilst others may be physical. People will act as backstops to each of the control modules, ensuring that the inherent controls are flexible, and are main- tained as required, and also ensuring that there is system availability should the controls fail.

Evaluation of information security design principles for adaptive organizations What are the implications of the information security needs for adap- tive organizations discussed in the previous section, for Wood’s twenty- three principles? In the discussion of each principle below, the names of some principles have been changed, to reflect a new emphasis.

Cost-effectiveness: Controls should not be selected via quantitative risk analysis techniques which use numeric estimates of likelihood and dollar-impact as their underlying com- ponents, as such techniques have been shown to be of minimal use for adaptive organizations2. Annual loss- based cost-effectiveness will be impos- sible to ascertain with any degree of accuracy, and a different definition of cost-effectiveness is therefore re- quired.

Simplicity: Development of con- trols must be simple, as time spent in total system development needs to be short. Controls should be extremely simple to use, as users will have very little (if any) training, and are effec- tively novice users for the majority of a system’s (short) lifespan.

Override: Simple steps should be able to be taken to easily override controls temporarily when required. This is because it will be difficult, with a short development lifecycle, to find the time to set up a complete set of workable controls. This principle will thus be of even greater importance than for traditional organizations.

Overt design and operation: Controls should be designed as overtly as is feasible, without undue reliance on the secrecy aspect, as the controls are going to become very well-known anyway, if they are to truly possess universal applicability. This principle will be even more important for adaptive organizations than for tradi- tional ones.

Discretionary privilege: Users should be initially granted the least access privileges necessary for perfor- mance of their jobs (typically “Need- to-Know” access). However, discre- tionary access will be acceptable (i.e. users passing on their access privileges as necessary), to ensure minimal re- strictivity.

Entrapment: This principle will be of minimal use, as systems will not be operational long enough for such complex controls to be required, de- signed, implemented, or effective. Also, adaptive organizations are built on user trust, and the condoned use of entrapment of a principle is not con- ducive to user trust.

Independence of control and subject: The person(s) who develop a control should not be the person(s) controlled by the control. This princi- ple should be applied for adaptive organizations.

q Computer Audit Update l June 1996 0 1996, Elsevier Science Ltd.

Discretionary application: A control should be applied uniformly and consistently over the relevant domain, with discretionary exceptions in order to enable minimal restrictivity.

Acceptance of control subjects: Controls should be well-accepted by users. This principle applies strongly, as with all systems, users will not use a control effectively, or will circumvent a control, unless all aspects of it are user-friendly.

Sustainability: Each control should be robust and enduring over time, as it will be reused by many different information systems.

Auditability: Controls must gen- erate evidence to demonstrate their correct operation. This principle is applicable, as with the assumption of user trust, the safety net of an audit trail will be even more crucial.

Accountability: Users must be individually and collectively responsi- ble for controls. This principle is of even greater importance for adaptive organizations, where information se- curity authority lies at the lower levels of the organization.

Defensive depth: Controls should be layered to provide depth of control, as the situation requires. Defensive depth, however, should be minimised where possible, in order to enable spontaneity and availability. Further, there will not be the same amount of time, and thus opportunity, for users to discover system access vulnerabilities, as systems will have short lifespans.

Isolation and compartmentali- sation: There may not be the time to split information resources up in order to minimise the extent of the informa- tion resource loss, as rapid develop- ment of the required information system may be negatively affected. Thus, this principle is of less use for adaptive organizations than for tradi- tional organizations.

Least common mechanism: Minimise reliance on an important

system component that may become unavailable. This principle is of greater importance for adaptive organizations; as stated earlier, in commercial, short- lived, open systems, availability is often of greater importance than secrecy21.

Control the core: Controls should not generally concentrate on detec- tion and prevention at the point of attempted break-in, as the boundary of the organization will be ill-defined; for example, suppliers and customers may be on project teams. Instead, controls should be focussed on the most important, or core, information re- source - the data itself.

Consistency (but not complete- ness): Controls should no longer be selected to cover all possible compro- mise attempts, as these will be unable to be well-defined due to the relative uselessness of risk-analysis techniques; however controls should still operate frequently and regularly.

Default to human involvement: When a control fails, access should be referred to an authorised human, who will then decide whether access should be denied or granted.

Parameterization: Variable con- trols provide greater flexibility and effectiveness. This principle is particu- larly applicable to adaptive organiza- tions.

Semi-hostile environment: Con- trols should be designed for an envir- onment where the users are to be fundamentally trusted, or are generally novice users. Hostile environment is not conducive to the teamwork and empowerment concepts. There should not be as many situations where there will not be a long enough system

Computer Audit Update l June 1996

0 1996, Elsevier Science Ltd.

lifespan to allow untrustworthy users to become familiar with, and subse- quently attack, a system.

Human involvement: People, as well as technology, should act as controls by being involved in informa- tion security decisions. This principle is of greater importance than for traditional organizations, as there may not be sufficient time to develop adequate, self-sufficient and feasible technological controls.

Changing image: The organiza- tion should present a changing image to the public, thus discouraging attack due to the overheads involved in system familiarisation prior to any planned attack.

Low profile: The company should present a low profile to the public, in order to conceal the existence of valuable information resources. This minimises the chances of attack. This principle should is equally applicable for traditional and adaptive organiza- tions.

Six additional information security principles for adaptive organizations are proposed below:

Flexibility: Controls should be flexible in design, so that they can be used in a variety of ways, to suit different situations.

Maintainability: Controls must be easily maintainable, so that any neces- sary changes can be made quickly and easily, before the end of the system’s life.

Logicality: Controls should have an underlying logical component which can be easily extracted and isolated. Wholly logical controls should be designed wherever possible.

Reusability: Controls should be reusable by a variety of applications.

Disposability: Controls should be able to be disposed of from an applica- tion when no longer required.

Interpretability: Controls should be open to human interpretation, so that systems will not lose their avail- ability due to a rigid, technological interpretation.

Conclusion Increasing numbers of adaptive orga- nizations are appearing, and the need to develop appropriate, effective in- formation security for these organiza- tions is highly relevant.

Traditional information security de- sign principles have been evaluated with respect to adaptive organizations.

Some existing principles have been revised, and additional principles sug- gested. Information security require- ments for adaptive organizations need to be investigated further, via alter- native research methods such as case studies and surveys.

Case study research is underway at present. Research is also being carried out into evaluating a more extensive set of principles than Wood’s set. Practical, managerial, legal and ethical issues involved in the evaluated prin- ciples should be investigated.

Heading down another path, re- search into the relationships between information security principles may lead to a useful information security development model. This article, then, serves as a basis for further research into this important area.

A q Computer Audit Update l June 1996 0 1996, Elsevier Science Ltd.

References 1. Wood, CC., Principles of Secure

Information Systems Design, Com- puters and Security, 9, 1990.

2. BaskerviIIe, R., Information Sys- tems Security: Technology and Management, Copenhagen Busi- ness School, Copenhagen, 1992.

3. Parker, D.B., Computer Security Management, Reston, 1981.

4. Parker, D.B., Safeguard Selection Principles, SRI International, Men- lo Park, California, USA, 1984.

5. SaItzer, J. H., Protection and the Control of Information Sharing in Multics. Communications of the ACM, 17(7), July 1974.

6. Sahzer, J.H. and Schroeder, M.D., The Protection of Information in Computer Systems, Proc. IEEE, 63 (9) 1975.

7. Bennis. W.G., Changing Organiza- tions, McGraw-Hill, New York, 1966.

8. Galbraith, J.R., Lawler, E.E. and Associates, Oqanising for the Fu- ture: The New Logic for Managing Complex Organizations, Jossey- Bass Publishers, San Francisco, 1993.

9. Hammer, M. and Champy, J., Reen- gineering the Corporation, Har- percollins Publishers, Inc, 1993.

10. Pascale, R., Managing on the Edge: How the Smartest Companies Use Conflict to Stay Ahead, Simon and Schuster, 1990.

11. Pasmore, W.A., Creating Strategic Change: Designing the Flexible, High Performing Organization, John Wiley and Sons Inc., 1994.

12. Peters, T., Restoring American Competitiveness: Looking for New Models of Organizations, Academy

of Management Executive, 11 (2) 1988.

13. Peters, T., Liberation Manage- ment., Pan Macmillan Publishers Limited, 1992.

14. Senge, P.M., The Fifth Discipline: The Art and Practice of the Learn- ing Organization, Doubleday, New York, 1990.

15. TofIIer, A., The Adaptive Corpora- tion, Pan-Books, 1985.

16. Burns, T. and Stalker, G.M., The Management of Innovation, Tavi- stock, 1966.

17. Gaines, S. and Shapiro, N.Z., Some Security Principles and Their Ap- plication to Computer Security, Operating Systems Review, 12, 1978.

18. Toffler, A., Future Shock, Bantam Books, New York, 1970.

19. Mintzberg, H., Mintzberg on Man- agement, The Free Press, 1989.

20. Robbins, S.P., Essentials of Organi- zational Behaviour, Prentice-Ha& Englewood Cliffs, N.J.. 1994.

21. Anderson, A.M., Comparing Risk Analysis Methodologies, Proceed- ings of the IFIP TCll Seventh International Conference on In- formation Security, 301- 311, 1991.

22. Paul, R.G., Open Systems Architec- ture: A New Challenge for EDP Auditors, The EDP Auditor Jour- nal, 1, 1992.

Sharman Lichtenstein is a Senior Lecturer in the Department of

Information Systems, Mona& University, Melbourne,

Australia. She has experience as a programmer and systems analyst and has been extensively involved

in information security research and consulting.

Computer Audit Update l June 1996

,P 1996, Elsevier Science Ltd.

IE