engleski

Information Security as a Part of Curricula in Every Professional Domain, Not Just ICT’s

Information security is increasingly gaining attention of managers, leaders but also of general public. Attacks on information security are no longer focused on “pure” IT systems, but are finding critical infrastructure of great interest: energy supply, transportation systems, financial systems and other vital systems. However, even the notion of national critical infrastructure is changing as cyber attackers find their motivations in attacking food production and supply, health systems, news media, educational resources and other systems traditionally not being considered as critical national infrastructure. Actually, it seems that the attackers better understand the interdependencies of modern, global society than leaders and decision makers. It seems that no part of modern social, commercial or private life is unimportant to attackers and that they all need to be defended. This presents tall goals to cyber defense forces. But even that is not the end of the problems. New methods of attacks are appearing. Slow san attacks are very difficult to discover. Hibernated attacks are executed by programs deployed many days, months, theoretically even years earlier, rendering it impossible to trace the attack back to the origin and the attacker. Finally, new attackers are stepping onto the scene: white collar social engineers. As automated tools for social engineering are becoming more sophisticated and readily available, domain specialists are able to perform highly sophisticated attacks against their fellow professionals. Information and communication technology specialissts and information security specialists lack the domain knowledge to predict, detect and counter fight such attacks. It becomes clear that specialized, dedicated cyber defense forces are necessary. Information security cannot be their side job or just a part of their job. It has to be the only job. However, they alone would have a hard job securing systems if those who design, deploy and maintain them do not get appropriate education in information security in order for systems to be as secure as possible, in the first place. But, not even that is sufficient. Security of every system is so domain specific and attackers are getting so domain proficient that only domain specialists can predict, prevent and counter attacks. Therefore, in order to even attempt to achieve required level of security of the society, domain professionals need to get information security awareness, education and readiness trainings, continuously. A special challenge presents the fact that domain professionals do not have an attacker’s mindset. They think about usability, intuitiveness and flexibility of systems they build and take care of. In order to be able to mitigate the attack risk, they have to understand and to some extent enact the mindset of the attackers. This requires psychological education as well as simulations and incident trainings.

Information security ; Education ; ICT ; Curricula ; Social engineering ; Slow scan attack ; Hibernated attack ; White collar social engineers

DOI: 10.4018/978-1-4666-8793-6