Abstract
Data loss poses a significant and increasing problem for organisations. This is shown by the regular stories of data loss reported daily in the media, such as the mailing of 2 CDs containing 25 million personal records by the Revenue and Customs in the UK. There is a need to provide systematic protection to data in all its forms and locations however it is accessed. We have developed Searchlight, a three-layer security architecture containing the physical, logical and social levels, which we use to analyse data loss holistically to prevent, detect and recover from exposure. We examine deliberate and accidental data loss by employees, but the same analysis can be straightforwardly applied to external attacks. Our practical security model appears to have widespread application to other problem domains such as critical infrastructure, the insider threat and financial systems, as it allows the analysis of systems in their entirety including human and physical factors, not just as technical systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
McAfee, Unsecured economies: protecting vital information (2009), http://resources.mcafee.com/content/NAUnsecuredEconomiesReport
Ponemon Institute. 2008 Annual Survey: Cost of a Data Breach (February 2009), www.encryptionreports.com/download/Ponemon_COB_2008_US_090201.pdf
Blackwell, C.: Data Loss: the Essentials (September 2009), IT Governance at www.itgovernance.co.uk or www.27001.com
Bunker, G., Fraser-King, G.: Data Leaks for Dummies. Wiley, Chichester (2009)
Neumann, P.G., Parker, D.: A Summary of Computer Misuse Techniques. In: Proceedings of the 12th National Computer Security Conference (1989)
Neumann, P.G.: Practical Architectures for Survivable Systems and Networks. SRI International (2000), www.csl.sri.com/neumann/survivability.pdf
Searle, J.R.: Minds, Brains, and Programs, from The Behavioral and Brain Sciences, vol. 3. Cambridge University Press, Cambridge (1980), http://web.archive.org/web/20071210043312/http://members.aol.com/NeoNoetics/MindsBrainsPrograms.html
Howard, J.D.: An analysis of security incidents on the Internet 1989-1995. Carnegie Mellon University (1997), www.cert.org/archive/pdf/JHThesis.pdf
Howard, J.D., Longstaff, T.A.: A common language for computer security incidents. Sandia National Laboratories (1998), www.sandia.gov
Blackwell, C.: The insider threat: Combating the enemy within (2009), IT Governance at www.itgovernance.co.uk or www.27001.com
Blackwell, C.: A Security Architecture to Model Destructive Insider Attacks. In: 8th European conference on information warfare. Academic Publishing Ltd. (2009)
Howard, M.: Attack surface: mitigate security risks by minimizing the code you expose to untrusted users. MSDN Magazine (November 2004), http://msdn.microsoft.com/en-us/magazine/cc163882.aspx
MSNBC. T.J. Maxx data theft worse than first reported (29 March 2007) MSNBC at: www.msnbc.msn.com/id/17853440
Poynter, K.: Review of information security at HM Revenue and Customs. HMSO (2008), www.hm-treasury.gov.uk/d/poynter_review250608.pdf
Blackwell, C.: A Multi-layered Security Architecture for Modelling Complex Systems. In: 4th Cybersecurity Information Intelligence Research Workshop. ACM Press, New York (2008)
Anderson, R.: Why cryptosystems fail. In: 1st ACM conference on computer and communications security. ACM Press, New York (1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Blackwell, C. (2010). A Security Architecture to Protect Against Data Loss. In: Weerasinghe, D. (eds) Information Security and Digital Forensics. ISDF 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 41. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11530-1_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-11530-1_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11529-5
Online ISBN: 978-3-642-11530-1
eBook Packages: Computer ScienceComputer Science (R0)