Is Theory Any Use for Information Security Managers?

The prime purpose of this high-profile, high-quality closed workshop for practitioners and academics in the field was to initiate a much-needed dialogue between security managers and academics studying the area.
Two key areas were explored in this workshop: the gap between academics and practitioners and understanding the role and function of standards and frameworks in bridging this gap. This workshop was a joint event by the Computer Security Research Centre at the LSE and the International Federation for Information Processing Working Group 9.6/11.7 (IT Misuse and the Law). Both bodies have been pushing the boundary of information security research and this event brought the two together.

Bridging the Gap
The critical insight afforded by experience from organisations makes academic study relevant. Conversely practitioners have a real need for the explanations and understanding that theory can bring.
Theory work is normally undertaken by academics whose main concern is to succeed in making their name and publishing papers. Academics are paid to produce ideas. Practitioners are judged by whether they meet business objectives. How can this dichotomy be bridged? This workshop demonstrated examples of useful cooperation where practitioners and academics have worked to develop or extend theory with practical application.

Frameworks and Standards
Standards have become a critical feature in the management of information security but how far do standards meet the needs of the practitioner yet provide a basis for research?
Can practical standards be developed within a framework of existing standards? The workshop considered issues of enforcement and compliance. Examples of useful cooperation were examined, especially where feedback loops are in effect. Did we learn from our mistakes? How far can new standards for practice be developed within frameworks already in place? What value do standards have for security managers and how far do standards limit managers’ options? The recently revised BS7799 is one standard that is of particular interest.

Presentations
For this workshop we were pleased to showcase seven key speakers hailing from both the academic and practitioner communities. Each speaker contributed a distinctive view on the field of information security, leading to useful and stimulating discussion.

Keynote speaker
The Keynote Address was given by Professor Ian Angell of the Information Systems Department in the London School of Economics. He has advised UNIDO, the European Security Forum and the House of Commons Parliamentary Information Technology Committee on the threats posed by the technical, and resulting organisational developments, information technology.

The interconnectedness of social theory and organisational practice in information security.
What does a research agenda look like which builds around interconnectedness? by Dr. James Backhouse. Director of the Computer Security Research Centre, LSE.

The need for an "applied security/risk" research agenda.
A presentation on bridging the gap between research and professional practice from the perspective of the applied security/risk agenda. This presentation also tackled the assumption that security is the problem we're trying to solve. In fact, practitioners are actually trying to solve configuration/privilege/risk management issues and IT vendors are trying to solve security problems and so are/can be close to research. By Mr. Phil Venables Chief Information Security Analyst for Goldman Sachs USA.

Security standards and changes in the nature of work.
Do security standards affect the way we work, and how well are changes in work practices reflected in new standards? By Dr. Michael Barrett. E-Business and Information Systems, Judge Institute of Management, University of Cambridge

Information security awareness and policy implementation and the role of frameworks and standards.
What role do frameworks and standards play in raising information security awareness and implementing policy? Mr. Dominic Steinitz. Security Strategy & Architecture Manager, Royal Bank of Scotland Group

Towards the human firewall - standards, pitfalls and suggestions.
This presentation addressed the complete human side to information security, what the current situation is in organisations, what it should be, how it could be addressed, what is being done currently and what impact it will have in practice. Professor R. Von Solms. Department of Information Technology, Port Elizabeth Technikon, Port Elizabeth

The real threats of information security, and the role of the academic to perceive them and the practitioner to act on them.
What are the ‘real’ threats faced by information security managers, and what practical limits are there to academics and practitioners working together to resolve these issues? Mr. David Spinks Director of Information Assurance for Europe, Middle East and Africa (EMEA).

Amalgamating standards and best practices.
A presentation on developing best practices for the State of Georgia that amalgamate a number of standards/best practices, including ISO 17799, as part of an industry academic aligned working group. By Professor Richard Baskerville. Chairman, CIS Department, Georgia State University.

Forming public policy on security.
How far do the views of academia influence important policy issues? Peter Sommer discussed the scrutiny of UK e-commerce policy and the development of Critical National Infrastructure policy. By Mr. Peter Sommer House of Commons Specialist Adviser.

Technical Security Research Project.
Presentation on the creation of a technical research unit on smart cards. Funded by Vodafone and others. By Professor Fred Piper. Information Security Group, Royal Holloway College.

Policy Security Research Project.
Presentation on the Fiducia project- PKI Interoperability, funded by ESRC/DTI. By Dr Carol Hsu. Computer Security Research Centre, London School of Economics.

Organisers
Computer Security Research Centre

The CSRC was opened in July 1991 to examine information security in a wide range of organisations. The Centre has developed frameworks for understanding security management, which have attracted the attention of specialist conferences and practitioners.
The Centre targets the Information Systems Academic Community; Social Scientists studying the "information society"; Professionals working in Information Systems and especially IS Security; Lawyers working in the field of computer-related crime and data protection; Policy makers in information security field.

Our model of information suggests that beyond the immediate concern for data and its protection lie issues of the context in which the data has meaning and value. Any purely technical fix for information security will always ignore the social and organisational context that ultimately determines success or failure. Effective management understands the complex interrelation of technical and social issues in the security domain. The Centre's cardinal goal is to develop and strengthen this understanding.

WG9.6/11.7 - Information Technology Mis-Use and the Law
Established 1990, revised 1992, 2001.

AIMS
To foster co-operation between the "Computers and Society" and "Information Security" communities on issues of "IT misuse and the law".
To develop an understanding in IFIP committees and national bodies of:
threats associated with IT systems and the related legal concerns.
risks to people and organisations arising from these threats.
responsibilities of people and organisations arising from legal and other provisions for information security.
risks arising from incoherency between legal, technical and managerial provisions.
the impact of IT systems on the current law, e.g. (criminal and civil law) and potential problems.
To propose and/or evaluate legal and other prescriptions to combat these threats and their associated risks.
To engender information exchange on threats, their origins, and possible consequences.
To propose and/or evaluate legal and other appropriate courses of action.