LITMIR.BIZ

1 Security

      1.1 Introduction

      Over a short period of time, people and businesses have come to depend greatly upon computer technology and automation in many different aspects of their lives. Computers are involved in managing and operating public utilities, banking, e‐commerce and other financial institutions, medical equipment and healthcare services, government offices, military defense systems, and almost every possible business and day‐to‐day activities of the people. This level of dependence and the extent of Internet technology integration made security necessary discipline as stated by the Organisation for Economic Cooperation and Development (OECD) in [OECD 2006]:

      Security must become an integral part of the daily routine of individuals, businesses and governments in their use of Internet Communication Technologies (ICTs) and conduct of online activities.

      Security is the condition of being protected against danger and loss. In general usage, security is similar to safety. Security means that something is not only secure but also it has been secured.

      There are various definitions of security provided by different dictionaries (e.g. security is freedom from danger; safety) (see more definitions in Appendix A), but all of them basically agree on some components, and they miss this point: they do not translate readily into information technology (IT) terms. In the IT sector, there is an acceptance that there is no pure risk‐free state, whatever it is done (or not done), but it carries a risk.

      Therefore, the definitions should not be considered as absolute descriptions of the word security in the real world because they individually describe a practically impossible goal. In order to describe security in a more realistic way, by combining the definitions provided by two dictionaries, new definitions are suggested (e.g. [Fragkos 2005]).

      Thus, the definition of security is understood as the capability of a system to protect its resources and to perform to its design goals. However, definitions may differ among users, standards organizations, and industries. Also, several concepts and definitions for security and many related terms have evolved in time to reflect emerging trends. Some other terms are used such as information security and cybersecurity. In a computing context, the term security implies cybersecurity [TechTarget]. Information security was first brought to the public’s attention by the release of the first guidelines to protect the security of information systems in 1992 [OECD 1992].

Ten years later, the OECD reviewed the guidelines to take into account the generalized adoption of Internet technologies, which enabled the openness and interconnection of formerly closed and isolated information systems. The need to develop a culture of security and greater awareness was initiated in 2002 by OECD [OECD 2002] for OECD members and nonmembers alike; it was adopted by United Nations in 2002 [UN 2002]. The OECD document [OECD 2002] emphasizes the need to take into account the emergence of the open Internet and the generalization of interconnectivity. These guidelines apply to all participants in the new information society.

      Security is, therefore, currently a widespread and growing concern that covers all areas of society: business, domestic, financial, government, and so on. Often security has different meanings to different people. There are several definitions and terms that sometimes make the security an ambiguous field. For example, in the energy sector, energy security refers to the uninterrupted availability of energy sources at an affordable price [IEA 2016]. To a power engineer, security means that power flows between utilities are open. Another view of security is a three‐legged stool consisting of physical security, information technology (IT) security, and industrial control systems (ICS) security [Weiss 2010].

      Security has a wide base and addresses specific issues regarding computers, networks, communication devices, data, information, people, organizations, and governments. Users must have confidence that information systems operate as intended without unanticipated failures or problems. Also, users must have confidence that information is handled timely, accurately, confidentially, and reliably.

      Following this document [OECD 2002], OECD published more technical guidelines and recommendations for the implementation and management of security [OECD 2003], [USCIB 2004], [OECD 2005], [OECD 2008] including privacy [OECD 2016]. Revisions of the guidelines are reported in [OECD 2012a], [OECD 2012c].

      On 17 September 2015 the OECD Council adopted the Recommendation on Digital Security Risk Management [OECD 2015], which replaces the 2002 guidelines. The [OECD 2015] document provides guidance for a new generation of national strategies on the management of digital security risk aimed to optimize the economic and social benefits expected from digital openness. The recommendation calls on governments, public, and private organizations to adopt an approach to digital security risk management that builds trust and takes advantage of the open digital environment for economic and social prosperity. As described in this document, digital security implies that security is approached from at least four different perspectives, each stemming from a different culture and background, recognized practices, and objectives: