Traditionally, a corporation likes to own a customer. The basic mind set is: King is who owns the customers. And: Customers are entities, of which you have sufficient details that you can bill the customer.
This mind set means that in most parts of Europe, corporations believe that owning clients electronic ID is just equal to owning the customer itself.
Obviously Norway proved the opposite with its banking identity, which serves most of the 500 Norwegian banks. Meanwhile after introducing this single identity some restrictions were made such that switching banks would be more painful, today these barriers have stopped and clients are bound by other means to their banks.
The Norwegian model bears an enormous innovation potential for European Member States and Europe as whole. Accepting of a few identities within Europe, would save cost to an unbelievable extent.
In this context the following questions should be clarified in a pre-study:
For the master thesis a business model and culture of a multipart identity provider for Europe should be targeted, using the Norwegian example: What can be learnt by Europe from the example of the Norwegian banks. Is it likely, that the Norwegian example works also in larger and cross country situation?
This work will have human and cultural aspects as well as technical aspects of ID management systems, federations and exploitation of ID management.
Partners which will be important for this study:
Mr. Seming Austin seming.austin@bsk.no.
Mr. Knut Kvalheim knut.kvalheim@bsk.no
Contacts to various project leaders of major European IDM project will be made available. Today there are around 10 projects in this topic completed for Directorate General Information Society Unit 1.4 Information security.
Generation Y (the actual younger generation) has completely new habits in respect to electronic communication and work philosophy. Some of these habits are not compliant with traditional IT-security thinking. History repeats itself: In the early days of the internet, many corporations tried to prohibit internet access for employees. However, this worked on average between 6 and 8 months until a change was unavoidable: The general rule is, that a spirit of the time and a change in a certain direction cannot been stopped by any means.
Young people expect to be connected to the web via social networks 24*7, 365 days an year. If there is no other connection they connect via their own unified communication devices. Therefore controlling the business traffic is a limited solution to the risk origination from web 2.0 technologies. Typical questions in this respect are: What impact has this behavior on the security policy and culture of enterprises. How can these people be integrated with the least risk?
For Web 2.0 technologies, especially social networks, the information security office is challenged to find new ways how to deal with this topic. The main goal is gaining from the opportunities of such technologies with a minimal negative impact on information security. To reach this goal a well balanced mixture of technical measures, monitoring and human aspects will be necessary.
In the pre-study the fundamental aspects should be described and clarified. Furthermore a contact network to three stakeholders should be established, typically with different orientation in security culture. First interviews with the partners and task descriptions of the expectancy should be resulting.
For this study we have two contacts prepared in Switzerland. Marcel Meier has specialized company on web 2.0 technologies and is a promoter of the winning side. Thomas Kohler, UBS AG, is an innovative thinking IT-risk control manager. He is willing to support this project as well.
Information Sharing is a political demand to counter fight Cyber and High Tech Crime. The term information sharing is used for exchange of confidential information across companies and administrations to warn each other very early from potential risks and threats.
Today, very few successful information sharing centers are operational. However, many countries and organizations try to build up new information sharing centers. Therefore, quality information in this topic is very much welcome for many parties.
The European Commission initiated the areci (elaborated by bell labs) study describing how to develop successful information sharing. This study will be made available. The study makes quite detailed analyses, but remains unclear in respect to the critical success factors. These factors are the final target of this work.
The lecturer has initiated in the year 2000 one of the very successful information sharing centre named
MELANI: information sharing center in Switzerland www.melani.admin.ch
MELANI should be analyzed. Beside the English MELANI webpage, several studies and presentations will be made available and the direct contact to the operational leader Marc Henauer. The following outcomes are expected:
External partner:
marc.henauer@gs-vbs.admin.ch; Marc.Henauer@fedpol.admin.ch
The pre-study will be used to make a first analysis of the topic and should reveal in more detail the master thesis. A narrow cooperation with the lecturer is in this work, at least in the starting phase, would be very useful to transfer his experience and materials to the student.
This work requires a good knowledge in computer attacks and a sound willingness to learn about national security.
Application security has been a hot topic for 25 years, and most of the 25 top vulnerabilities remained more or less unchanged in this period: Applications vulnerabilities: see http://www.sans.org/top25errors
Astonishingly major efforts in software engineering and software design have failed to address application security successfully.
Microsoft started the initiative Secure Development Life Cycle SDLC and has also educational material on this issue. (more material will be made available for the interested students)
In the pre-study the student will learn about application security and its countermeasure. SDL and other programs should be analyzed on completeness to address the 25 top vulnerabilities.
Furthermore there are some application program existing (and may be available with a non disclosure agreement) which check source code on the top 25 vulnerabilities. The results are disappointing: Open source applications as well as closed source have more or less the some statistic: In a 500 k line program one out of 30 lines show a major vulnerability which may be exploited.
In a pre-study the student should learn about application security and vulnerabilities as well as automatic, inherent and other countermeasures. Some hypothesis in technical and human aspects (the programmers and their culture) should be made.
The thesis itself will develop one or several option to counter fight existing and new programmed application vulnerabilities. If it turns out feasible, efforts will be made, that a corporate turnaround program for application security may be developed.
This work will be challenging in technology and has also a quite broad component on human and organizational aspects.
External partners will be made available for this work, e.g. Microsoft, nruns (is one of the two licensed educator for SDLC) and other organization involved in this business.
There is a general rule in information security that planning depends on concrete and detailed scenarios. However, education is often very systematic and lives more from mini cases than from an integrated case study.
As we requested money from the Swiss national fund to prepare an executive master program with labs and case studies, Socotec AG, a fictitious corporation was built as a case study. The foundation of this corporation was around 10 confidential audit and risk assessment reports of worldwide operating companies. After having completed this company, two days and more than 20 security specialist and consultant were dedicated to bring this fictitious enterprise to reality.
In education Socotec AG was a big success and was later translated to English from the university of Oldenburg, Germany, by Prof. Teufel, today direct of the International Institute Telecommunication Management IIMT at the University in Freiburg, Switzerland.
There are some issues which have to be fixed and evolved:
The pre-study allows learning about the study and the aspects of it. An in depth analysis should show the weaknesses (including the above mentioned one) and results in suggestion to improve the situation.
During the master thesis the study will be innovated and solutions to selected aspect will be developed.
This work is challenging in technical matters, but also in a holistic information security view, where the student will learn to mutually balance out technical, organizational, managerial, process oriented, human and legal aspects.
All students are invited for this thesis, but students which work now or in near future in the information security office of a company, will have an excellent preparation on their job.
Writing scientific paper on this case study is very well feasible.
