A Framework for Adaptive Information Security Systems : A Holistic Investigation

Abstract: This research proposes a framework for adaptive information security systems that considers both the technical and social aspects of information systems security. Initial development of information systems security focused on computer technology and communication protocols. Researchers and designers did not consider culture, traditions, ethics, and other social issues of the people using the systems when designing and developing information security systems. They also seemed to ignore environments where these systems run and concentrated only on securing parts of the information systems. Furthermore, they did not pay adequate attention to the enemies of information systemsand the need for adaption to a changing enviroment. The consequences of this lack of attentions to a number of important factors have given us the information security systems that we have today, which appear to be systemically insecure.   To approach this systemic insecurity problem the research was divided into mini studies that were based on the Systemic-Holistic paradigm, Immune System concepts, and Socio-Technical System theory. Applying the holistic research process the author started first by exploring adaptation systems. After exploring these systems, the focus of the research was to understand the systems and features required for making information security systems learn to adapt to the changing environments. Designing and testing the adaptive framework were the next steps. The acquired knowledge from this research was structured into domains in accordance to ontological principles and relationship between domains was studied. These domains were then integrated with the security value-based chain concept, which include deterrence, prevention, detection, response, and recovery functions to create a framework for adaptive information security systems.   The results of the mini studies were reported in a number of papers, which were published in proceedings of international conferences and a journal. For this work, 12 of the thesis papers are included. A framework for adaptive information security system was created. Trials to apply and validate the framework were performed using three methods. The first method was a panel validation, which showed that the framework could be used for providing adaptive security measures and structuring  security work. The second method mapped the framework to the security standards, which showed that the framework was aligned with the major information systems security standards. The third and last validation method was to map the framework with reported ICT crimes cases. The results indicated that most crimes appear to occur because the security systems in place lacked deterrence security measures and had weak prevention, detection, and response security measures. The adaptive information security systems framework was also applied to a number of areas including a secure e-learning, social networks, and telemedicine systems.   It is concluded in this thesis that this adaptive information security system framework can be applied to minimize a number of  systemic insecurity problems and warrants more applied research and practical implementations.