information systems risk, threats and related methods of risk mitigation. Specifically, we will examine systems based upon artificial intelligence (AI), including those for managing component content as well as document management. We will also consider newer systems designed to provide protection in emerging technology areas such as the internet, mobile communications and social networks, each of which presents unique challenges and threats requiring novel responses and methods of intervention.
In the Enterprise Information Management Institute (EIMI) model, managing information security involves the safeguarding of several key aspects of information assets against risk, namely confidentiality, privacy, and competitive advantage (EIMI, 2007). Information assets commonly occur in the form of documents, messages, images, maps, multimedia binaries, or other formats.
The Committee on National Security Systems (CNSS) identifies the concept of Information Assurance (IA) Risk Management, along with a holistic view and framework for national security inclusive of methods, processes and tools. The CNSS bases its policy and authority upon National Security Directive 42, and provides the decision making basis for governmental information managers to assess, prioritize, and respond to IA risks on a continuous basis, as well as to evaluate and recommend risk mitigation strategies. CNSS (2009) defines Risk Assessment in the following way:
"…the process of determining the extent to which an entity is threatened; that is, determining the likelihood of potential adverse circumstances or events and the resulting harm to or impact on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation."
Leenen et al. (2011) outline the parameters for an ontology-based knowledge system in the context of Information Operations (IO), which refers to the discipline of utlizing information to either gain advantage over an opponent, or to defend one's own interests and information assets. An ontology can be defined as a formalized set of concepts within a domain and the interrelationships within the set, created for the purpose of defining and discussing the domain and its properties. A logic-based ontology is of particular relevance to operations requiring intelligent retrieval of information, with the capacity to reduce ambiguity in handling the complex subtleties and nuances of expression in natural language, and the capability to improve the yield of meaningful information from a retrieval operation. Ontologies are to be regarded as an emerging science and art with certified and off-the-shelf methodologies yet to be developed, while the practice matures with ongoing research and experience. However, businesses and governments alike have begun to embrace IO, recognizing the strategic value of information as being simultaneously defensive and offensive to corporate competitiveness as well as to national security and the effective administration of government. The common thread is that business and government are both competitive environments, within which institutions must protect their strategies and sensitive information assets from competitors, while gathering intelligence regarding their competitors' own objectives and methods. Concepts such as competitive intelligence, competitive deception and psychological operations are integral to the effective management of IO in all its forms.
Federal and local governments identify and monitor several areas of internet and computer-based crime, or "cybercrime." Internet-based fraud may involve financial transactions with credit cards or electronic money transmissions, fraudulent Web sites, illicit-content businesses, illegal online activities such as trading or gambling, identity theft, secure network hacking and intrusion, creation and spreading of viruses and other malware, and cyber-based piracy and terrorism. Criminal investigators use pattern visualization based on neural net-based artificial intelligence techinques such as clustering and analysis of social networks to both extract and predict criminal entities and associated networks (Chen et. al, 2004).
Artificial intelligence (AI) by its very nature is a theory based upon uncertainty. As such, so-called "fuzzy" operations are routinely used to classify and interpret data and to make decisions related to analysis stages and for drawing subsequent hypotheses and conclusions. For example, hacking-based identity intrusions are a form of threat encountered in mobile voice communications in 3-G cellular networks. Bhattacharjee et al. (2010) outline a voice-based authentication method based on AI, which is capable of validating an authorized mobile subscriber user based upon analysis of the first spoken greeting or salutation word in the conversation, sound frequency alternations, and facial image matching where images are present. AI in this usage leverages uncertainty properties such as ambiguity and imprecision in speech. Fuzzy operations, rules, conditions and sets are invented, derived and applied to authenticate the user in question. The AI algorithm applies different relative weights and grades for parameters based upon occurrence frequencies, to evaluate conformance with the invented fuzzy rule set. Upon successful authentication of the caller, the AI system authorizes the granting of a connection to the called party and the connection is established.
There are a number of advantages to such an AI-based fuzzy logic authentication scheme for mobile subscribers. Firstly, the authentication can occur without the need for additional information to be provided by the caller, or even for the caller to be consciously involved in the authentication procedure. The authentication can be transparently applied to validate not only the calling party, but also the network switching hardware platforms and services employed. Caller validation is established in a fashion that feels natural, utilizing the caller's speech as derived from their initial greeting word. The audio analysis is optionally augmented by a digital analysis of the facial image, using fuzzy analyis and weighting methods to compare and match the caller's image with an established image record in the subscriber database. The need for complex algorithms and cryptographic measures to protect sensitive personal data is also averted with this AI-based method, resulting in a valid, non-invasive authentication carried out in real time, with minimal disruption and inconvenience to the mobile system users (Bhattacharjee et al., 2010).
Corporate and other institutional networks are now subjected to the threat of sophisticated automated attacks, which must be protected against. Recent advances and increasing adoption of cloud computing and associated virtual processing resources have brought with them entirely new types and genres of security threats. An example is the AI-based entity knowns as a "superbot" or "hackbot." These are autonomous software-based robots capable of learning and adaptive behavior to changing conditions. The result of the superbot's operations is to present its malicious human perpetrator with a list of vulnerable IP addresses and their connected resources most likely to be susceptible hacking targets for the designed methods, along with a graded list of specific vulnerabilities and recommended attack points. In order to protect sensitive information resources against automated hackbot and superbot intrusions, defense mechanisms based upon challenge-response systems requiring human intervention are being developed and introduced. As the automation level of the attack modules evolves and increases, so too must the design of the defense procedures and methods improve to protect against them. This space is therefore an area of extremely high information security risk, which is highly dynamic and constantly changing (Gold, 2009).
Hentea et al. (2006) recognize the need for academic programs to supplement professional or vendor-based industrial certifications related to information security. Examples of professional certifications include the CISSP, SSCP and GISEC accreditations, while vendor originated credentials include Cisco's CCSE, Microsoft's MCSE and TISIA among others. At a corporate level, organizations have recognized information security management as a responsibility borne by all levels of an organization, including its suppliers and partner companies organizations. For example, Ricoh Corporation developed a suite of cross-enterprise information security programs for all employees (ISMS), featuring separate tracks for executives, line managers and general employees. ISMS addresses requirements specific to each employee level at Richo, with each member required to attend and selectively become certified through the vehicles of information security workshops, exchange forums with other companies, and benchmarking and implementation activity tours. To complement the specific IA training, Ricoh also implemented general training programs targeted to all employees to augment consciousness and awareness…