Scope of the work

This research work is standing in the Information System Security Risk Management domain. In this section, we dene step by step the dierent concepts and the bound- aries of the work, summarised in Figure 1.4.

1.4.1 Information System

A lot of work has been done in the frame of IS terminology (and already on `system' terminology in general [Moi77, VB93]) and many denitions were already proposed

1.4 Scope of the work 9

Figure 1.4: Scope related to the Information System Security Risk Management domain

[Moi77, FHL+_{98, RFB88]}1_{. However no agreement has been found in dening what}

is an IS [Car00]. The denition of IS used should generally be related to the domain it is applied. The one provided by Wikipedia [Wik08a] is a good example regarding the scope of this work: A system, whether automated or manual, that comprises peo- ple, machines, and/or methods organised to collect, process, transmit, and disseminate data that represent user information. It is thus clear that the domain of this thesis encompass not only security of software system or IT architecture, but takes care of people and facilities playing a role in an IS and so in its security. For example, peo- ple following a procedure and encoding data or air conditioning for server room is as important as software or network security. As an illustration, let's consider the as- sumption that the client's database of @rchimed and its associated network are highly secure, using the best practices currently known in terms of encryption, authentica- tion, data redundancy, etc. If the employees are not aware of security, some attacks using social engineering on an employee can be successful [MS03], leading to disclo- sure of their personal login information to the attacker and making all of the technical security measures useless. Thus, regarding the state of the art, it will be focused on literature targeting the whole IS security and not literature focused only on security of IT components. Moreover, dierent terms are used for meaning the security of an IS in general, and they are usually used (wrongly) as synonymous: Information Technol- ogy Security, Information and Communications Technology Security, Information Security, etc. Considering the scope of this thesis is clearly focused on a whole IS, this work uses the term Information System Security (IS security), that seems to be the most relevant to the research context.

1_{This list is clearly far from being exhaustive, considering the number of publications trying to dene the}

1.4.2 Risk Management

The most generally agreed upon denition of risk is the one found in ISO/IEC Guide 73 [ISO02b]. There risk is dened as a combination of the probability of an event and its consequence [ISO02b]. Following this denition, RM is dened as coordinated ac- tivities to direct and control an organisation with regard to risk [ISO02b]. Depending on the context, RM can address various kinds of issues [The01], [ISO04a]. For exam- ple, risks can be related to the organisation's management (e.g., illness of a key person in regards to the business), nance (e.g., related to investment), environment (e.g., pollution), or security. In this thesis, we focus only on security RM in the context of an IS (following the denition proposed in Section 1.4.1). Other kinds of risk such as nancial or project risk, even related to an IS, are out of the scope2_.

1.4.3 Security

In the literature, security is generally understood in two dierent manners. The rst kind of approaches [Fir03] use the term `security' for what concerns malicious (or deliberate) harm on the IS, and they use the term `safety' for what concerns accidental harm. Firesmith [Fir07b] uses the broader notion of defensibility to cover both security (in the above sense) and safety. The notion of security that we adopt in this work, and that denes the scope, is broader. Actually, it is a synonym of defensibility according to Firesmith. The dierent standards, methods and frameworks studied are standing in both domains, and thus dealing with malicious and accidental harm, as depicted in Figure 1.5. We decided to keep the term `security' because it is the most commonly used term in the ISSRM literature [ISO05b, ISO04b, DCS04b, CLU07b, AD01b, VML+_{07, etc.] for this domain.}

The second typical dierence recognised between security and safety is related to the objective to reach. Security aims at protecting the condentiality, integrity and availability of information and/or processes in an organisation [ISO04b, Com06a]:

• Condentiality is the property that information is not made available or disclosed to unauthorised individuals, entities, or processes;

• Integrity is the property of safeguarding the accuracy and completeness of as- sets. Accuracy could be threatened by (unauthorised or undesirable) update or tampering. Completeness could be threatened by altering or deletion;

• Availability is the property of being accessible and usable upon demand by an authorised entity.

Some other criteria like authenticity, non-repudiation or accountability might be added when the context requires, but they are usually deemed secondary [ISO04b]. Safety relates to risk that may aect human life or environmental health [UK 96, LCJ05]. This notion is commonly used in aeronautics and other transport systems [Lev95]. This domain is not in the scope of this thesis as we focus only on information security.

2_{The reader should not overinterpret this statement as saying that those various kinds of risk are unrelated.}

On the contrary, they are often related, e.g., an increase in security risks is usually accompanied by increased project and nancial risks for a company. The sole purpose here is to state that for a question of feasibility only security risk is a direct object of study for us.

1.4 Scope of the work 11

Figure 1.5: Security and safety dierentiated by the cause

All of the standards, methods and frameworks studied aim at maintaining conden- tiality, integrity and availability of information. However, information security can sometimes be related to human life or environmental health. This intersection is es- pecially growing as IT components are embedded in all kinds of products, and more and more of organisation's infrastructures are managed through IS. For example, some medical information can need integrity, otherwise patient life can be in danger. This case remains in the scope, as depicted in Figure 1.6, denoted by the coloring of the intersection between the two sets.

Figure 1.6: Security and safety dierentiated by the objective

Summing up, the objective of ISSRM is thus to protect essential constituents of an IS, from all harm to IS security (condentiality, integrity, availability) which could

arise accidentally or deliberately, by using a RM approach.

1.5 Claimed contributions and research questions