Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CHAPTER III: INFORMATION AND COMMUNICATION TECHNOLOGY<br />
These four key concepts are revisited throughout this report. Various ICT<br />
standardization bodies have produced def<strong>in</strong>itions that help to expla<strong>in</strong> the<br />
<strong>in</strong>terrelationship between the concepts. The ITU-T Recommendation X.800 and<br />
the IETF RFC 2828 def<strong>in</strong>es the above concepts as <strong>in</strong> Table 1 (ITU-T 1991; Shirey<br />
2000).<br />
The relationship between the threat-related system concepts def<strong>in</strong>ed can be<br />
illustrated us<strong>in</strong>g a simple sketch as shown <strong>in</strong> Figure 2. Simply put, a successful<br />
attack is one that eludes or breaches security countermeasures, consequently<br />
tak<strong>in</strong>g advantage of system vulnerability and result<strong>in</strong>g <strong>in</strong> particular threat<br />
consequences or disruptions. Therefore, the success of an attack depends on the<br />
strength of the attack, degree of vulnerability and effectiveness of the<br />
countermeasures employed.<br />
Figure III—2 Relationship between various threat-related concepts.<br />
It is generally acknowledged that it is impossible to secure fully aga<strong>in</strong>st all attacks<br />
(Audestad 2005). This is because ICT systems are grow<strong>in</strong>g <strong>in</strong>creas<strong>in</strong>gly complex,<br />
mak<strong>in</strong>g the comprehensive analysis of all failure scenarios computationally<br />
<strong>in</strong>tractable. Exist<strong>in</strong>g security countermeasures (e.g. <strong>fi</strong>rewalls) are implemented<br />
aga<strong>in</strong>st known or predictable attacks and events. However, these measures are not<br />
suf<strong>fi</strong>cient to protect aga<strong>in</strong>st the <strong>in</strong>f<strong>in</strong>itely large number of new, unpredictable<br />
and/or unknown attacks that could have a similarly crippl<strong>in</strong>g effect on the system.<br />
Moreover, the level of implementation of countermeasures and ability to reduce<br />
vulnerabilities is constra<strong>in</strong>ed by the availability of requisite resources (e.g.,<br />
suf<strong>fi</strong>cient budgets, skilled staff).<br />
Therefore, each organization tries to f<strong>in</strong>d a compromise between the level of<br />
risk and justi<strong>fi</strong>able <strong>in</strong>formation security <strong>in</strong>vestment. This necessitates a trade-off<br />
between security precautions taken and the tolerance to the rema<strong>in</strong><strong>in</strong>g risk of<br />
attack. Vulnerabilities may be tolerable when the level of dif<strong>fi</strong>culty of the attacks<br />
needed to exploit the vulnerability is too high, or when the perceived bene<strong>fi</strong>t to<br />
attacker is small even if the vulnerability is easily exploitable. Conversely, top<br />
priority is given to the threat scenarios where the likelihood of attacks is high and<br />
their outcomes extremely disruptive. These assumptions are particularly valid for<br />
cases when the attacks are well understood and relatively easy to execute, or when<br />
the vulnerable system is known to support large user numbers or mission critical<br />
processes. All these are typical features that present the prerequisite <strong>in</strong>centives for<br />
potential attackers.<br />
NORDREGIO REPORT 2007:5 87