Essay Instructions: Project Title
-------------
Risk Management and Analysis - Process and Policy before Technology
Propsed Abstract
----------------
According to studies released by the FBI and the Computer Security Institute (CSI), over 70% of all attacks on sensitive data and resources reported by organizations occurred from within the organization itself. Implementing an internal security policy appears to be just as important as an external strategy. The objective of this report is to highlight the necessity of internal processes and policy alongside technology when managing and mitigating risk. The author narrates the problems of security from the unseen forces in an individual that influence thought, behavior and personality. Computers do not yet have the intelligence to question human reasoning, understand the human psyche and then take action based upon logical deduction. The subject matter for this dissertation is based the author’s own personal working experiences, modules taught in the Master of Software Engineering and course materials used.
Background (maybe part of opening Chapter 1)
----------
Many of the firms in question that I worked for invest significant sums of money per annum into technology, with the newfound belief that software creates the competitive advantage and brings business value to the market place. These assets some of which are tangible require many forms of security to protect them from vandals, hackers, thieves and yes, even competitors. It is the traditional techniques of using hardware and software to manage this risk that the author believes to be the underlying problem of safe keeping their information commodities.
There is not yet a computer with the artificial intelligence, to understand, that one person accessing a system with another person’s credentials maybe alarm for suspicion. It cannot discuss this with another peer computer or explain the extra sensory feelings it has to its human superior. It does not have the ability to correlate the company’s compliance rule regarding computer access against the activity a person is performing on a machine it knows does not belong to that person.
Just as computers need rules and boundaries in order to operate in, so do people, as a society we remain sure of this. We cannot however assume that the person knows the consequences of their actions, and understands that what they are doing may be wrong based upon the rules which have been put in place by the company. We have to educate and teach first, discipline and enforce last.
The report should demonstrate the use of software engineering subject matter taught in –
1. Practical Software Engineering
2. People and Security
3. Security Risk Analysis and Management
4. Security Principles
5. Software Development Management
Requirements (IMPORTANT)
------------
- An Oxford layout
- At the start of each (proper) chapter I'd expect to see a paragraph along the lines of "In this chapter we're going to do X. We're going to start by thinking about Y and then we'll move on to tackle Z.
- The theory of nature versus nurture in software engineering should be the central point to this project. I am trying to theorise that a persons genetic make up and social up bringing (both parental and cultural), has a definative role to play in software engineering. Is it not logical that our traits and imperfections are carried over to become part of the things we create? If so how do we analise this and what do we do to mitigate and manage the risk involved?
Questions to think about
-----------------------
- Why does a person hack computer systems? What makes them do this? Is their a median hacker age? What stats can prove this? If there is an age pattern would that be part of a process company's would implement to help prevent internal hacking based on age, gender, chemical make up? What are the moral implications of such a thing?
Examples would be to analyse some of the major software engineering failures, such as the following, and ask if better process could have been implemented to prevent this from happening -
The AT&T network collapse (1990)
In 1990, 75 million phone calls across the US went unanswered after a single switch at one of AT&T's 114 switching centers suffered a minor mechanical problem, which shut down the centre. When the centre came back up soon afterwards, it sent a message to other centres, which in turn caused them to trip and shut down and reset.
The culprit turned out to be an error in a single line of code -- not hackers, as some claimed at the time -- that had been added during a highly complex software upgrade. American Airlines alone estimated this small error cost it 200,000 reservations.
Mars Climate Observer metric problem (1998)
Two spacecraft, the Mars Climate Orbiter and the Mars Polar Lander, were part of a space program that, in 1998, was supposed to study the Martian weather, climate, and water and carbon dioxide content of the atmosphere. But a problem occurred when a navigation error caused the lander to fly too low in the atmosphere and it was destroyed.
What caused the error? A sub-contractor on the Nasa programme had used imperial units (as used in the US), rather than the Nasa-specified metric units (as used in Europe).
http://www.wired.com/software/coolapps/news/2005/11/69355
Mariner I space probe
A bug in the flight software for the Mariner 1 causes the rocket to divert from its intended path on launch. Mission control destroys the rocket over the Atlantic Ocean. The investigation into the accident discovers that a formula written on paper in pencil was improperly transcribed into computer code, causing the computer to miscalculate the rocket's trajectory.
Article that reflects my thoughts for this dissertation
-------------------------------------------------------
http://jacobian.org/writing/syntactic-sugar/
However, I’ve seen this particular assertion — “all programming languages are the same because they’re all Turing complete” — used repeatedly as long as I’ve been a programmer. It drives me nuts.
Sure, it’s true on a technical level. Any computer language we write gets interpreted and compiled down to machine code, so at a practical level a C program with a for(;;) loop and a Python list comprehension might end up with the same values flowing over my registers and the same instructions dropping into the CPU. But this reductionist view of programming completely ignores the incredibly important role that language plays in thought.
The traditional view of languages — human or computer — is that they’re a tool we use to express thought. But modern literary and linguistic theory holds that it’s a two way street: our thought drives our language, but the language we use leaves an indelible imprint on our thought processes. I’m not a linguist, but from what I can tell the Sapir-Whorf hypothesis is the main designator for this idea of language influencing thought.
http://en.wikipedia.org/wiki/Sapir-Whorf_hypothesis
The hypothesis postulates that a particular language's nature influences the habitual thought of its speakers: That is, different language patterns yield different patterns of thought. This idea challenges the possibility of perfectly representing the world with language, because it implies that the mechanisms of any language condition the thoughts of its speaker community.
There’s no question in my mind that this applies full-force to software development: different languages make it easier or harder to conceive of certain types and classes of algorithms. So-called “syntactic sugar” can make a big difference in efficiency: one language might naturally lend itself to writing a something close to the theoretically optimal case, while another might lead you towards a different, less efficient, solution.
Most importantly, though, is the way that computer languages intersect with our own thoughts. You’ll often a developer talk about how his favorite language “fits my brain” or “matches the way I think.” As a group of analytical types, we often dismiss these types of assertions in favor of more quantitative measurements of performance or memory consumption. But that’s a huge mistake: we’ll always be more productive in a language that promotes a type of thought with which we’re already familiar.
http://en.wikipedia.org/wiki/Neuroplasticity
According to the theory of neuroplasticity, thinking, learning, and acting actually change both the brain's physical structure, or anatomy, and functional organization, or physiology from top to bottom.
In other words, what you think changes what you *will* think.
http://en.wikipedia.org/wiki/Syntactic_sugar
Bibliographys
-------------
At least 50 or more, here are some that I have been researching already
Journal Articles
[ja1] John Soat, 2008, Tomorrow’s CIO: Process Before Technology, http://www.informationweek.com/blog/main/archives/2008/06/tomorrows_cio_p.html
[ja2] Matt Blaze, 2004, Safecracking for the computer scientist, http://www.crypto.com/papers/safelocks.pdf
Books
[b1] Bruce Schneier, 2000, Secrets and Lies: Digital Security in a Networked World, ISBN 1, John Wiley
[b2] Drew Miller, Michael Bednarczyk, 2005, Black Hat Physical Device Security: Exploiting Hardware and Software, ISBN X, Syngress
[b3] Harold F. Tipton, Micki Krause, 2007, Information Security Management Handbook, ISBN 2, CRC Press
[b4] Pierpaolo Degano, 2007, Programming Languages and Systems: 12th European Symposium on Programming, ESOP 2003, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2003, Warsaw, Poland, April 7-11, 2003 : Proceedings, ISBN 1, Springer
[b5] James S. Tiller, Tiller S. Tiller, 2005, The Ethical Hack: A Framework for Business Value Penetration Testing, ISBN X, CRC Press
[b6] Albert-László Barabási, 2003, Linked: The New Science of Networks, ISBN 9, Basic Books
[b7] Watts S. Humphrey, 1997, Introduction to the Personal Software Process, ISBN 7, Addison-Wesley
[b8] Thomas A. Birkland, 2005, An Introduction to the Policy Process: Theories, Concepts, and Models of Public Policy Making, ISBN 8, M.E. Sharpe
[b9] G. David Garson, 1995, Computer Technology and Social Issues, ISBN 4, Idea Group Inc (IGI)
[b10] Louis A. Poulin, 2005, Reducing Risk with Software Process Improvement, ISBN X, CRC Press
[b11] Bruce Schneier, 2003, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, ISBN X, Springer
[b12] Kevin David Mitnick, 2002, The Art of Deception: Controlling the Human Element of Security, ISBN 4, John Wiley and Sons
[b13] Eric Gander, 2003, On Our Minds: How Evolutionary Psychology is Reshaping the Nature-versus-nurture Debate, ISBN 8, JHU Press
[b14] Lorrie Faith Cranor, Simson Garfinkel, 2005, Security and Usability: Designing Secure Systems that People Can Use, ISBN 9, O'Reilly
[b15] Ross Anderson, 2001, Security Engineering: A Guide to Building Dependable Distributed Systems, ISBN 3, John Wiley and Sons
World Wide Web
[www1] Wikipedia, (2008), Wile E. Coyote and Road Runner, http://en.wikipedia.org/wiki/Wile_E._Coyote_and_Road_Runner
[www2] Wikipedia, (2008), Cash is King, http://en.wikipedia.org/wiki/Cash_is_king
[www3] Wikipedia, (2008), Disk Cloning, http://en.wikipedia.org/wiki/Disk_cloning
[www4] Wikipedia, (2008), Firewall, http://en.wikipedia.org/wiki/Firewall
[www5] Wikipedia, (2008), Intrusion detection system, http://en.wikipedia.org/wiki/Intrusion-detection_system
[www6] Wikipedia, (2008), Virtual private network, http://en.wikipedia.org/wiki/Vpn
[www7] Wikipedia, (2008), Smart Card, http://en.wikipedia.org/wiki/Smart_card
[www8] Wikipedia, (2008), Anti-virus, http://en.wikipedia.org/wiki/Antivirus
[www9] Wikipedia, (2008), Encryption, http://en.wikipedia.org/wiki/Encryption
[www10] Wikipedia, (2008), Nature versus nurture, http://en.wikipedia.org/wiki/Nature_versus_nurture
[www11] Kimberly Powell, (2008), Nature vs. Nurture - Are We Really Born That Way?, http://genealogy.about.com/cs/geneticgenealogy/a/nature_nurture.htm
