• Home
• Library
• DRO home

The ascent of asymmetric risk in information security: an initial evaluation Ruighaver, Tobias, Warren, Matthew and Ahmad, Atif 2009, The ascent of asymmetric risk in information security: an initial evaluation, in Proceedings of the 10th Australian Information Warfare and Security Conference, Edith Cowan University, Perth, W.A.. Title The ascent of asymmetric risk in information security: an initial evaluation Author(s) Ruighaver, Tobias Warren, Matthew Ahmad, Atif Conference name Australian Information Warfare and Security. Conference (10th : 2009 : Perth, W.A.) Conference location Perth, Western Australia Conference dates 1 - 3 December, 2009 Title of proceedings Proceedings of the 10th Australian Information Warfare and Security Conference Editor(s) [Unknown] Publication date 2009 Conference series Australian Information Warfare and Security Conference Publisher Edith Cowan University Place of publication Perth, W.A. Summary Dramatic changes in the information security risk landscape over several decades have not yet been matched by similar changes in organizational information security which is still mainly based on a mindset that security is achieved through extensive preventive controls. As a result, maintenance cost of information security is increasing rapidly, but this increased expenditure has not really made an attack more difficult. The opposite seems to be true, information security attacks have become easier to perpetrate and appear more like information warfare tactics. At the same time, the damage caused by a successful attack has increased significantly and may sometimes become critical to an organization. In this paper we evaluate one particular extremely asymmetric risk where a strongly motivated attacker unleashes a prolonged attack on an organization with the aim to do maximum damage, and suggest that the probability of such an attack is increasing. We discuss how preventive controls are unlikely to ever be effective against such an attack and propose more advanced strategies that aim to limit the damage when such an attack occurs. One crucial lesson to be learned for those organizations that are dependant on their information security, such as critical infrastructure organizations, is the need to deny motivated attackers access to any information about the success of their attack. Successful deception in this area is likely to significantly reduce any potential escalation of the incident. Language eng Field of Research 090609 Signal Processing Socio Economic Objective 890201 Application Software Packages (excl. Computer Games) HERDC Research category L1 Full written paper - refereed (minor conferences) ERA Research output type E Conference publication HERDC collection year 2009 Persistent URL http://hdl.handle.net/10536/DRO/DU:30024616 Document type: Conference Paper Collections: Faculty of Business and Law School of Information and Business Analytics Related Links Link Description Connect to published version (restricted access) Go to link with your DU access privileges     Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved. Versions Version Filter Type Tue, 02 Mar 2010, 10:05:10 EST Fri, 05 Mar 2010, 11:30:57 EST Fri, 05 Mar 2010, 14:39:43 EST Mon, 08 Mar 2010, 14:12:04 EST Tue, 09 Mar 2010, 14:49:34 EST Tue, 30 Mar 2010, 10:20:27 EST Tue, 30 Mar 2010, 10:21:28 EST Wed, 26 Oct 2011, 11:37:02 EST Wed, 26 Oct 2011, 11:39:26 EST Fri, 16 Mar 2012, 17:49:37 EST Tue, 04 Jun 2013, 14:01:17 EST Filtered Full Access Statistics: 386 Abstract Views, 5 File Downloads  -  Detailed Statistics Created: Tue, 02 Mar 2010, 10:05:07 EST by Katrina Fleming

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.