IT Insecurity

The problem of securing information processed, stored and communicated by information technology (IT) systems, is examined using a variety of approaches, including General Systems Theory, sociology, criminology, computer science, and information systems theory.

The General Systems Theory approach is used to develop a model of socio-technical security systems for protecting information handled by IT. This model is then used to focus the analysis of the problem into the four areas of ethics, politics and law, operations and management, and technology.

Ethical attitudes associated with IT and IT abuse behaviour among university students in Sweden and Canada are studied voth longitudinally and comparatively. The longitudinal study indicates that between 1986 and 1991 there were some significant changes in ethical attitudes along with an increase in IT abuse behaviour.

The political and legal study of the problem focuses on the development of national IT systems security evaluation criteria. North American and European criteria are used to analyse 47 crime cases reported to the Swedish police between 1987-1989. It is found that these criteria correspond to a large extent to the IT crime cases.

In the operational and managerial part of the thesis the problem of distributing and maintaining IT system security manuals are discussed and a conceptual model of a hypertext IT security manual is presented.

A client server model for managing audit and accountability information in health care information systems is proposed in the technical part. The model builds on the European Manufacture's Association's security framework. A technical walk through of the model along with a list of protocol service primitives are outlined.

The thesis concludes with a synthesis of the ethical, political and legal, operational and managerial, and technical IT security constraints into a conceptual model of IT security referred to as the Security By Consensus (SBC) model.

1. Introduction and Summary
• Part 1: Ethical Inquiry
2. Computer Ethics and Computer Abuse: A Study of Swedish and Canadian University Data Processing Students
3. Computer Ethics and Computer Abuse: A Longitudinal Study of Swedish University Students
• Part 2: Political & Legal Inquiry
4. The ABC's and E's of National Computer Security Policies
5. A Critique of the Orange Book
6. Do Computer Security Models Model Computer Crime: A Study of Swedish Computer Cases
• Part 3: Managerial-Operational Inquiry
7. The Manual is the Message
• Part 4: Technical Inquiry
8. Historical Labels in Open Distributed IT Systems: An ITSEC(ECMA Specification
9. An Accountability Server for Health Care Information Systems
• Part 5: Synthesis
10. The SBC Model: Modeling the Systyem for Consensus
11. A SBC Modeling of USA's National Computer Security Policy
12. A SBC Analysis of an US National Computer Security Conference
13. Reporting IT Crimes: The SBC Model as a Conceptual Framework

There are some gems in here, but you can safely avoid this.