2. Index
• Risk analysis
• Legal, Privacy & Ethical issues
• Computer Security: Protecting Programs and
Data
3. Security in System Development
• Risk Analysis & Management needs to be a
part of system development, not tacked on
afterwards
• Baskerville's three generations of methods
1st Generation: Checklists
Example: BS 7799 Part 1
2nd Generation: Mechanistic engineering methods
Example: this risk analysis method
3rd Generation: Integrated design
Not yet achieved
5. Definitions 1
The meanings of terms in this area is not universally
agreed. We will use the following
• Threat: Harm that can happen to an asset
• Impact: A measure of the seriousness of a threat
• Attack: A threatening event
• Attacker: The agent causing an attack (not
necessarily human)
• Vulnerability: a weakness in the system that
makes an attack more likely to succeed
• Risk: a quantified measure of the likelihood of a
threat being realised
6. Definitions 2
• Risk Analysis involves the identification and
assessment of the levels of risk, calculated from
the
– Values of assets
– Threats to the assets
– Their vulnerabilities and likelihood of exploitation
• Risk Management involves the identification,
selection and adoption of security measures
justified by
– The identified risks to assets
– The reduction of these risks to acceptable levels
7. Goals of Risk Analysis
• All assets have been identified
• All threats have been identified
– Their impact on assets has been valued
• All vulnerabilities have been identified and
assessed
8. Problems of Measuring Risk
Businesses normally wish to measure in money, but
• Many of the entities do not allow this
– Valuation of assets
• Value of data and in-house software - no market value
• Value of goodwill and customer confidence
– Likelihood of threats
• How relevant is past data to the calculation of future
probabilities?
– The nature of future attacks is unpredictable
– The actions of future attackers are unpredictable
– Measurement of benefit from security measures
• Problems with the difference of two approximate quantities
– How does an extra security measure affect a ~10-5 probability of
attack?
9. Risk Levels
• Precise monetary values give a false precision
• Better to use levels, e.g.
– High, Medium, Low
• High: major impact on the organisation
• Medium: noticeable impact (“material” in auditing terms)
• Low: can be absorbed without difficulty
– 1 - 10
• Express money values in levels, e.g.
– For a large University Department a possibility is
• High
• Medium
• Low
10. Risk Analysis Steps
• Decide on scope of analysis
– Set the system boundary
• Identification of assets & business processes
• Identification of threats and valuation of their
impact on assets (impact valuation)
• Identification and assessment of vulnerabilities
to threats
• Risk assessment
11. Risk Analysis – Defining the Scope
• Draw a context diagram
• Decide on the boundary
– It will rarely be the computer!
• Make explicit assumptions about the security
of neighbouring domains
– Verify them!
12. Risk Analysis - Identification of
Assets
• Types of asset
– Hardware
– Software: purchased or developed programs
– Data
– People: who run the system
– Documentation: manuals, administrative procedures, etc
– Supplies: paper forms, magnetic media, printer liquid, etc
– Money
– Intangibles
• Goodwill
• Organisation confidence
• Organisation image
13. Risk Analysis – Impact Valuation
Identification and valuation of threats - for each group
of assets
• Identify threats, e.g. for stored data
– Loss of confidentiality
– Loss of integrity
– Loss of completeness
– Loss of availability (Denial of Service)
• For many asset types the only threat is loss of
availability
• Assess impact of threat
– Assess in levels, e.g H-M-L or 1 - 10
– This gives the valuation of the asset in the face of the threat
14. Risk Analysis – Process Analysis
• Every company or organisation has some
processes that are critical to its operation
• The criticality of a process may increase the
impact valuation of one or more assets identified
So
• Identify critical processes
• Review assets needed for critical processes
• Revise impact valuation of these assets
15. Risk Analysis – Vulnerabilities 1
• Identify vulnerabilities against a baseline
system
– For risk analysis of an existing system
• Existing system with its known security measures and
weaknesses
– For development of a new system
• Security facilities of the envisaged software, e.g.
Windows NT
• Standard good practice, e.g. BS 7799 recommendations
of good practice
16. Risk Analysis – Vulnerabilities 2
For each threat
• Identify vulnerabilities
– How to exploit a threat successfully;
• Assess levels of likelihood - High, Medium, Low
– Of attempt
• Expensive attacks are less likely (e.g. brute-force attacks on encryption keys)
– Successful exploitation of vulnerability;
• Combine them
Likelihood of Attempt
Likelihood
of Success
Low
Low
Low
Med Med
Low
Med High
HighHigh
High
Med
Med
Low
Low
17. Responses to Risk
Responses to risk
• Avoid it completely by withdrawing from an
activity
• Accept it and do nothing
• Reduce it with security measures
18. Security Measures
Possible security measures
• Transfer the risk, e.g. insurance
• Reduce vulnerability
– Reduce likelihood of attempt
• e.g. publicise security measures in order to deter attackers
• e.g. competitive approach - the lion-hunter’s approach to security
– Reduce likelihood of success by preventive measures
• e.g. access control, encryption, firewall
• Reduce impact, e.g. use fire extinguisher / firewall
• Recovery measures, e.g. restoration from backup
19. Problems of Risk Analysis and Management
• Lack of precision
• Volume of work and volume of output
• Integrating them into a ”normal” development
process
20. Legal, Privacy, and Ethical Issues in
Computer Security
• Program and data protection by patents,
copyrights, and trademarks
• Computer Crime
• Privacy
• Ethical Analysis of computer security
situations
• Codes of professional ethics
21. Motivation for studying legal issues
• Know what protection the law provides for
computers and data
• Appreciate laws that protect the rights of
others with respect to computers, programs,
and data
• Understand existing laws as a basis for
recommending new laws to protect
compuuters, programs, and data
22. Aspects of Protection of the security of
computers
• Protecting computing systems against
criminals
• Protecting code and data (copyright...)
• Protecting programmers’ and employers’ rights
• Protecting private data about individuals
• Protecting users of programs
23. 23
Ethical vs. Legal Issues
• Q: What’s the difference between a legal issue and an ethical issue?
• How do you determine which it is?
• Should you care which it is?
• What percentage of your time would you guess that you will spend dealing
with ethical or legal issues?
24. 24
Ethical vs. Legal Issues
• Legal issues:
– Sometimes have a definitive answer
– Determination is made by others (not you)
• Ethical issues:
– Sometimes have a definitive answer
– You determine your course of action
• The law doesn’t make it “right”
• Being “right” doesn’t make it legal
25. Basic Legal Issues
a) Protecting Programs and Data
b) Information and the Law
c) Ownership Rights of Employees and Employers
d) Software Failures (and Customers)
26. Protecting Programs and Data
Copyrights — designed to protect expression of ideas (creative
works of the mind)
Ideas themselves are free
Different people can have the same idea
The way of expressing ideas is copyrighted
Copyrights are exclusive rights to making copies of
expression
Copyright protects intellectual property (IP)
IP must be:
Original work
In some tangible medium of expression
27. INTELLECTUAL PROPERTY
RIGHT
• Intellectual property rights are the legal rights that
cover the privileges given to individuals who are
the owners and inventors of a work, and have
created something with their intellectual
creativity. Individuals related to areas such as
literature, music, invention, etc., can be granted
such rights, which can then be used in the
business practices by them.
• The creator/inventor gets exclusive rights against
any misuse or use of work without his/her prior
information
29. Copyrights
• Public domain- work owned by the public, (e.g.
government)
• Work must be original to the author
• “fair use of a copyrighted work, including such use
by reproduction I copies…for purposes such as
criticism, comment, news reporting, teaching
(including multiple copies for classroom use),
scholarship or research.”
• New owner can give away or sell object
31. Copyrights
• In India, the law on copyright protection is
contained in the Indian Copyright Act, 1957 –
• which came into effect in January 1958.
• This Act has been amended 5 times since then
i.e.. In 1983, 1984,1992, 1994, 1999 & 2012.
• The Copyright ( Amendment ) Act 2012 is the
most substantial, bringing the digital
environment into its purview.
32. Subject Matter of Copyright
• Copyright law protects "original works of
authorship.“
• The work does not have to be the first of its kind,
or novel
• it just has to be the independent product of the
author, not copied from another source.
• Copyright is held by an author upon a work's
creation and "fixation“ in tangible form, so that it
can be perceived directly or with the aid of a
machine or other device
33. Contd..
• Works of authorship include the following categories
(1)literary works;
(2)musical works, including any accompanying words;
(3)dramatic works, including any accompanying music;
(4) choreographic works;
(5)pictorial, graphic, and sculptural works;
(6)motion pictures and other audiovisual works;
(7)sound recordings; and
(8)architectural works.
34. What Copyright Protects
• Original Literary, Dramatic, Musical and
Artistic Works
• Cinematograph Films
• Sound Recordings
35. Literary Works
• Novels, poems, short stories
• Books on any subject
• Computer programmes,
tables, computer
databases
• Song lyrics
37. Who owns the copyright?
• Ordinarily, the creator does. However, if he or
she creates the work in the course of employment
or is retained under an appropriate contract to
make the work, then the work is a "work made for
hire," and the employer or the contracting party
owns the copyright. Co-creators jointly own the
copyright in the work they create together.
• In some situations, when a work is created by a
member of the University, Harvard policies vary
the ownership that would otherwise result under
copyright law.
38. Can a copyright be transferred to
someone else?
• Like any other property, a copyright can be sold
or given to someone else, who then becomes the
owner of the copyright. A copyright is a bundle
of exclusive rights, which can be transferred
separately or all together.
• A copyright owner can also retain the copyright
but permit (or non-exclusively license) others to
exercise some of the owner's rights. For example,
a photographer might permit the use of one of her
photographs on a book jacket.
39. Permission to reproduce or disseminate
someone else's copyrighted work?
• Find the copyright owner and ask. There are no special
forms that must be used, and permission can be oral or
written, though it is good practice to obtain permission in
writing.
• The copyright owner is free to charge whatever fee he or
she wishes, though the user is likewise free to try to
negotiate a lower fee.
• Most major publishers and periodicals have a "permissions
desk" or a "rights editor," and a written request addressed
in this way will usually find its way to the right person.
• You should specify the publication you wish to take from;
the precise pages, chapters, photographs or the like you
want to use; how many copies you want to make; and the
purpose of your use Many permissions desks accept
requests by e-mail or through the publisher's website.
40. Infringement
• A copyright is infringed when one of the exclusive
rights of the copyright holder is violated.
• These include the right to reproduce a
– copyrighted work, prepare derivative works based upon it,
distribute copies by sale or other transfer of ownership, to
perform and display it publicly, and to authorize others to
do so
– Three types of infringement
– Direct infringement
– Indirect infringement
– Vicarious liabilities
41. Direct Infringement
• Direct infringement occurs when a person
without authorizaton reproduces, distributes,
displays, or performs a copyrighted work, or
prepares a derivative work based on a
copyrighted work.
• direct copyright infringement, it does not
matter. whether a direct profit is derived from
the infringing works.
42. Contributory Infringement
• Liability for copyright infringement may be imposed on
persons who have not themselves engaged in the infringing
activity, but where it may be seen as "just to hold one
individual accountable for the actions of another.“
• Contributory infringement occurs, for example, where a
person "with knowledge of the infringing activity, induces,
causes or materially contributes to the infringing conduct of
another.“
• An Internet provider may be liable for contributory
infringement, says the court, if it knows or should have
known of the infringement and fails to do anything about it.
43. Exclusive Rights
• Copyright provides an author with a tool to
protect a work from being taken, used, and
exploited by others without permission.
• The owner of a copyrighted work has the
exclusive right
– to reproduce it,
– prepare derivative works based upon it,
– distribute copies by sale or other transfer of ownership,
– to perform and display it publicly, and
– to authorize others to do so.
44. Patents
• Protect inventions, tangible objects, or ways to make
them, not works of the mind.
• Patent designed to protect the device or process for
carrying out an idea, not the idea itself.
• Patent goes to person who invented the object first
• Algorithms are inventions and can be patented
45. Patent
• Patents give inventors the exclusive right to
duplicate their invention’s design. Patents cover
devices, formulas, tools, and anything that has
utility. To get a patent, you must apply to the
Patent Office and submit the invention’s design.
You must show that the design is unique. A patent
examiner will determine if you are entitled to a
patent. If so, a patent is granted that prohibits
anyone else from making, using, offering for sale,
selling, or importing the invention. A patent lasts
20 years.
46. Trademark
• A trademark is a word, phrase, or logo that
identifies a product, a service, or the person or
company that offers a product or service to the
public. You must apply to Trademark Office to
register a federal trademark. If your trademark
is registered, you can generally prevent anyone
else from using a mark that may confuse the
public about who offers the product or service.
47. Trade Secrets
• Information that gives one company a
competitive edge over others
• Reverse engineering – study finished object
to determine how it is manufactured or how it
works
• Trade secret protection can apply to software
48. Copyright v/s Patent v/s Trade mark
• Copyright protects original works of
authorship,
• while a patent protects inventions or
discoveries.
• A trademark protects words, phrases, symbols,
or designs identifying the source of the goods
or services of one party and distinguishing
them from those of others.
49. Comparison table Copyright, Patent and Trade Secret Protection
Copyright Patent Trade Secret
Protects Expression of idea,
not idea itself
Invention—way
something works
Secret, competitive
advantage
Protected Object
Made Public
Yes; intention is to
promote publication
Design filed at
Patent Office
No
Must Distribute Yes No No
Ease of filing Very easy, do-it-
yourself
Very complicated;
specialist lawyer
suggested
No filing
Duration Originator’s life + 70
yrs; 95 y. For
company
19 years Indefinite
Legal Protection Sue if unauthorized
copy sold
Sue if invention
copied/reinvented
Sue if secret
improperly obtained