Deakin University

File(s) under permanent embargo

The ascent of asymmetric risk in information security: an initial evaluation

conference contribution
posted on 2009-01-01, 00:00 authored by T Ruighaver, Matthew Warren, A Ahmad
Dramatic changes in the information security risk landscape over several decades have not yet been matched by similar changes in organizational information security which is still mainly based on a mindset that security is achieved through extensive preventive controls. As a result, maintenance cost of information security is increasing rapidly, but this increased expenditure has not really made an attack more difficult. The opposite seems to be true, information security attacks have become easier to perpetrate and appear more like information warfare tactics. At the same time, the damage caused by a successful attack has increased significantly and may sometimes become critical to an organization. In this paper we evaluate one particular extremely asymmetric risk where a strongly motivated attacker unleashes a prolonged attack on an organization with the aim to do maximum damage, and suggest that the probability of such an attack is increasing. We discuss how preventive controls are unlikely to ever be effective against such an attack and propose more advanced strategies that aim to limit the damage when such an attack occurs. One crucial lesson to be learned for those organizations that are dependant on their information security, such as critical infrastructure organizations, is the need to deny motivated attackers access to any information about the success of their attack. Successful deception in this area is likely to significantly reduce any potential escalation of the incident.



Australian Information Warfare and Security. Conference (10th : 2009 : Perth, W.A.)


Edith Cowan University


Perth, Western Australia

Place of publication

Perth, W.A.

Start date


End date




Publication classification

L1 Full written paper - refereed (minor conferences); E Conference publication

Title of proceedings

Proceedings of the 10th Australian Information Warfare and Security Conference

Usage metrics

    Research Publications


    No categories selected