Category Archives: Information Assurance

Password Reset

Hello Company,

Can you please assist me with resetting my account password for the company customer portal? I don’t know how I answered my “security questions”. I never use the same answers since answering the same question at multiple locations (like my bank, etc) is no different than using a password twice, just these ones an attacker could actually figure out just by finding the right information.

If security is important to you, you should look into multi-factor authentication, and not simply increase the amount of passwords a person has to type in. Please forward this suggestion to Jane Doe, your CIO, who apparently designed the company customer portal.

By the way, when you disallow web browsers to remember my randomly-generated passwords, it gets in the way of my workflow. I must have saved the password in clear-text somewhere but instead now I’m spending my employer’s time emailing you for help.


[changed for privacy]


Corporate-centric Information Operations

The general applicability of information warfare as an extension of information assurance seems prudent. CIO’s and CISO’s should be aware of correlating risks and act appropriately. The modern enterprise is dependent on an ever-growing need for information and automated information management systems. While information assurance offers a holistic approach to defending a business organization, the risks of all three classes of information warfare are not even brought into question in corporate-level information assurance policy management frameworks. The following model is an attempt to describe where information operations risk management could be implemented. Short-term damage can largely be applied to class 2 information warfare (corporate implications), while long-term damage can be applied to class 3 information warfare (regional or global implications).

Informal Networks

This is a copy of my National Cybersecurity Awareness Campaign Challenge proposal. I licensed it under the Creative Commons Public Domain license when I submitted it to DHS on 02010 April 30. Since its submittal, two updates have been made to the document:

  • The term “secondary education” has been replaced with the correct term “higher education.” I was misusing “secondary education” to include the college and university education level.
  • The term “America” has been replaced with “United States.” Again, I was misusing the term “America,” in the sense that an American public exists in all of North, Central and South America. While the aim of this project should include a global audience, to begin it should start in the United States.

The Big Picture

  • The problem: The United States public is an extremely large and diverse populous and is generally unaware of cyber risks.
  • The mission: To clearly and comprehensively communicate with the United States public about the issues concerning cyber security.
  • The vision: An informal network composed of various teams and communities organized to share and disseminate cyber security knowledge.

Bill Clinton, regarding health clinics in Rwanda, said that it’s not enough to create one, but that you’ve got to create a system that will work better and better. Public awareness concerning the safe use of the Internet and of the devices that connect us to the Internet requires a holistic strategy. The Department of Homeland Security (DHS) has a complex problem to address concerning the cyber education of residents in the United States. This complex problem is a common problem in every nation in the world, and it is going to take efforts from a global community, the Internet community, to minimize the dangers of using the Internet. The solution to this common problem has to be flexible in order to adapt to the dynamic nature of information and communication technologies that use the Internet. The solution to this common problem also has to be scalable to reach beyond mass-media outlets and be personable so that learning individuals can appreciate the need for Internet best-practices.

The Federal Bureau of Investigation (FBI) created InfraGard in 1996, a public-private partnership to assist the private sector with managing critical infrastructure. DHS needs to create a similar partnership to assist the public with becoming cyber literate—to understand the risks involved with uploading and downloading data and information via the Internet. DHS is in an ideal position to facilitate a cyber education movement in a very organized, informal and cost-effective way. The objective of this movement is to set the foundation for an international network of experts that will create and manage an education framework of solutions for all communities. The facilitation of this movement should entail an expansion of the National Cyber Security Alliance (NCSA) that would engage with colleges and universities to manage education programs tailored to their immediate and surrounding communities.

Richard McDermott and Douglas Archibald, in an article titled Harnessing Your Staff’s Informal Networks from the March 2010 edition of the Harvard Business Review magazine, describe the value of informal teams and communities to “share knowledge and attack common problems.”

“Consider the rise and fall of an informal group of experts at a large water-engineering company located just outside London. Starting in the early 1990s, they began meeting weekly to discuss strategies for designing new water-treatment facilities. The gatherings were so lively and informative that they actually drew crowds of onlookers. (The company can’t be named for reasons of confidentiality.)

The community initially thrived because it operated so informally. United by a common professional passion, participants would huddle around conference tables and compare data, trade insights, and argue over which designs would work best with local water systems. And the community achieved results: Participants found ways to significantly cut the time and cost involved in system design by increasing the pool of experience that they could draw upon, tapping insights from different disciplines, and recycling design ideas from other projects.”

[Harvard Business Review, March 2010, Reprint R1003F]

It is critical that any program designed to educate a population as large as the one inside of the United States do so with care that takes advantage of the uniqueness of individual communities. This program must approach each and every community within the United States with systems that are already available, thereby decreasing the overall cost to DHS while increasing outreach effectiveness. By expanding NCSA, DHS can interface with, at first, colleges and universities across the United States that have information technology related education programs.

The High-level Phases

The NCSA expansion should include several phases in order to build an infrastructure that can support the mission and vision previously outlined. An NCSA expansion must include network creation within the United States, but it must be done in a highly organized and targeted way in order for the network to propagate itself. This network self-propagation is necessary for the network to expand beyond the physical boarders of the United States. The second phase of the NCSA expansion must include an international audience. Cyber literacy is a matter of national security. Cyber literacy extends beyond the borders of the United States because cyber crime outside of the United States directly affects the state of national security. Therefore it is required that the cyber education movement includes an international audience to draw on resources beyond our own.

The Processes

Process #1
NCSA Expansion <–> Higher Education

In order to educate the people of the United States on such large scale, the NCSA expansion must utilize colleges and universities throughout the United States. These already established systems (college campuses) are critical because they are already integrated into their communities, and because they contain the people needed to help DHS with its new mission. The successful completion of this process entails finding students and faculty that are interested in the information assurance profession, and by providing these experts and to-be experts with an infrastructure that will allow them to interface with specific parts of their communities in order to grow and share information. NCSA would be responsible for disseminating the following to these higher education teams:

  • Step-by-step processes, goals and objectives in formats organized using systems analysis and design (SAD) models. By providing a common framework that is common among business organizations, SAD models will allow for future integration and the ability to increase the knowledge and experiences of the students involved.
  • Information packages with up-to-date, specific cybersecurity information. These information packages will be the primary resources for higher education teams, providing the main content that will be disseminated throughout the team’s community. Information packages will be supported by an online database and social network tailored to the needs of the larger community.
  • Communication tools that will bridge gaps between teams with the goal of creating stronger communities. The primary objective of teams will be the development of their communities. NCSA can conduct research that will find organizations that can support nearby higher education teams, or vice-versa, and act as a hand-shake intermediary.

The secondary objective of teams is the establishment and facilitation of cybersecurity information. The following processes will help explain how this will take place.

Process #2
Higher Education <–> Private Sector

The private sector is an important part of the United States public cyber learning effort. This is because the information assurance best-practices that need to be shared with the general United States public must interface, at some level, with private sector business practices. What people practice at home must make sense with the general practices carried out at work. Therefore it is important for NCSA to support symbiotic relationships with the private sector, through the higher education teams, in order to expand local communities. These symbiotic relationships should support the following goals:

  • Increase networking potential on all levels, for both students and business professionals, helping to satisfy the primary objective:
  • By connecting students to business professionals, students can ask questions and get answers based on experience. Students will also be in a position to ask for meaningful internships within their communities.
  • By connecting business professionals to students, business professionals can ask students to conduct specific research projects. Businesses will also be in a position to see how specific students perform in a business setting.
  • An NCSA expansion can support quarterly meetings between students and business professionals in pre-determined regions. These quarterly meetings can:
  • Provide direct networking opportunities, as outlined above
  • Provide opportunities for students to present to business professionals their findings from their research and teaching experiences
  • Support a regional community of information assurance professionals for sharing emerging threats and their expected impacts at work, at home and in school
  • It has been claimed that two thirds of all business organizations in the United States have no Internet security policies. Higher education teams in cooperation with NCSA can offer no-cost education programs specific to business organizations that need to better their information assurance programs, or to create them. This can be done via specific information packages provided by NCSA. These packages can include, but are not limited to, general employee training, general security auditing, and general policy development. The information packages provided by NCSA can include resources for local businesses that provide professional consulting services if it is found that these business organizations need to meet federal or state regulations.

Process #3
Higher Education <–> City Council

City councils generally have special projects or programs that can affect local business organizations, schools, or public facilities or events. Each of these entities/locations interface with the Internet on some level, which means the city council is a perfect place to increase cyber literacy. Higher education institutions in cooperation with NCSA can offer educational programs specific to the needs of city councils, either directly to city councils, or directly to entities that interface with city councils. Because there can often be multiple higher education institutions in any given region, this will present an opportunity for these higher education teams to strategically work together to accomplish their goals concerning the secondary objective.

Process #4
Higher Education <–> Community Centers

Community centers provide higher education teams a neutral location to offer no-cost public services for general cyber awareness events, helping satisfy the secondary objective. Adult attendees can take information packets to their workplace, spreading general cyber awareness, and by providing these workplaces contact information for the higher education teams for future awareness training. This will help satisfy the primary objective.

Process #5
Higher Education <–> Primary Education

Primary education institutions are the focal points for higher education teams concerning the secondary objective. Each year, primary education students increase their experiences with Internet facing devices. Primary education teachers are not thoroughly educated to teach cyber security topics to their students. The higher education teams can relieve primary education institutions by providing them with no-cost information packages, provided by the NCSA, and no-cost training services, provided by the higher education teams. Again, this interface with primary education institutions provides adults the opportunity to share the services provided by the higher education teams with their family and friends, helping satisfy the primary objective.

Process #6
NCAE <–> NCSA Expansion

The National Security Agency (NSA) National Centers of Academic Excellence (NCAE) generally have very large information assurance networks, either within their respective universities or in their professional communities. NCAE can support NCSA by:

  • Being the test-beds for the NCSA cyber literacy expansion
  • Expanding student-lead research opportunities, helping satisfy the primary objective

Process #7
InfraGard <–> NCSA Expansion

InfraGard can assist NCSA by helping develop the information packages designed for business organizations, helping satisfy the secondary objective. InfraGard can later integrate itself into regional communities, expanding the higher education team’s community, helping satisfy the primary objective.

Process #8
AmeriCorps <–> NCSA Expansion

AmeriCorps can work with NCSA by providing national community service opportunities to provide cyber security awareness training to regions of the United States with no nearby higher education teams. These opportunities could be team-based or individual-based. This extended service could then establish its network, helping satisfy the primary objective, by making new contacts in these isolated regions of the United States.


The opportunities presented in this paper are colossal for both DHS and for information assurance students in higher education. Each of these processes and experiences must be designed to be recorded in a privacy-conscious, systematic fashion. This documentation will then be integrated back into the NCSA developed social network and database for continued, sustainable growth.

The primary objective of teams will be the development of their communities. The secondary objective of teams is the establishment and facilitation of cybersecurity information. These distributed teams and communities will form an informal network of information assurance students, managers, community leaders, researchers, practitioners and educators. Combined, DHS will have access to plethora of talent and means to educate the United States public. This strategy will take time and careful planning, but once begun, it will be a system that will get better and better over time.

Information Assurance Scenario Canonicalization

This is research project proposal that I hope to turn into a masters or doctoral thesis.


Understanding the threat spectrum when designing security policies to govern how businesses should share and use information by means of information and communication technologies (ICT) is a complex process. Every company in the world that uses ICTs as a means to conduct business needs some form of an information assurance program that orients proper handling of shared information from creation to destruction. Information is dependent on data, and both data and information can be used improperly to put any business at risk of damaging its customers or itself.

Internet-based social media platforms, in particular, have made it so easy to share information that their effectiveness in the business environment decreases time and money spent while increasing connectivity to a global audience. But the opportunities and risks of using social media platforms are not holistically clear. The mediums that store, transfer, and communicate the information to us dramatically affect our perceived consequences. All organizations must have a way of thoroughly understanding the risks involved with the evolution, emergence and integration of technologies that have the capability of distributing data and information.


By using a multidisciplinary approach to canonicalize information sharing scenarios for a range of public sector and private sector organizations, a scalable framework can be developed in order to quantify risk and opportunity involved with the use of ICTs, with a focus on Internet-based social media platforms.

Similar work

  • Scenario planning

Mats Lindgren and Hans Bandhold, authors of Scenario Planning: The link between future and strategy, illustrate many process models that can be adapted to better understand the relationships between information. By using these models in various applications, the organization of the causes and effects of data, information, uses, and mediums will be defined clearly and effectively.

  • Philosophy of information

Dr. Luciano Floridi, author of Information – A Very Short Introduction, describes the implications of biological information. In application to information assurance, this conceptual analysis will allow for the development of specific information models that will help illustrate the security implications of humans and technology as information storing and sharing processors.

  • Information assurance

The United States Chief Information Officers Council, in a document entitled Guidelines for Secure Use of Social Media by Federal Departments and Agencies, outlines a model developed by Dr. Mark Drapeau and Dr. Linton Wells that describes the four functions of social software. However the current state of ICT relies heavily on visual and auditory stimulus. An expansion of this social-media model must include an analysis of the other three information receptors: touch, taste, and smell. This expansion must occur to develop scenarios that take into consideration the future trends of virtual reality and a deeper integration into a human-developed infosphere.

Proposed outcomes

  • Goal #1

This phase of the project entails graphical modeling of a wide range of information sharing scenarios utilizing ICTs. The scope of the information sharing scenarios will begin with Internet-based social media platforms and will expand to include various forms of telecommunication services. It is necessary to incorporate a comprehensive selection of scenarios in order to compile a large knowledge base for Goal #2. The knowledge base will be organized systematically according the complete life cycle of information processing concerning data, information, information stakeholders, and information transport mediums.

  • Goal #2

Using the knowledge base established in Goal #1, a critical analysis must take place utilizing Dr. Floridi’s work concerning the philosophy of information. This analysis should include applied concepts such as the information as, for and about reality. A better understanding of the relationships between people, ICTs, and a combination of people and ICTs (dependent on origin and destination) can be quantified in direct relation to our perception of the any given ICTs interface. Further research regarding human perceptions of ICTs can be applied using Dr. Sherry Turkle’s research in psychoanalysis and culture in relation to people’s relationship with technology. This exploration will expand the knowledge base for Goal #3.

  • Goal #3

I presume that following Goal #2, commonalities among ICT interfaces will become evident. This presumed manifestation should allow for the expanse of Dr. Mark Drapeau and Dr. Linton Wells’ four functions of social software model. This expanded model should be able to visually depict a more precise yet comprehensive representation of the utilization of ICTs. This representation will be able to quantify human-centric information control feasibility, impact, and residual risk depending on the source and destination of complete life cycle information dissemination.

  • Project Objective

The final phase of this project will include the development of system development life cycle processes to assist public sector and private sector organizations with establishing more coherent information assurance programs.

Systems Development Life Cycle for Information Assurance

This is an ongoing project of mine that will entail a lot of updating. I am presuming that I can establish a common framework using the highly-adaptable systems analysis and design framework, a systems development life cycle, to break down common attributes of various IT security frameworks such as the NIST-800 series and PCI-DSS. After my model is complete, a user could plug in the various sub-processes of said IT security frameworks, which would help make clear which aspects of various frameworks are complete, incomplete, or missing. This framework could also be used to integrate multiple IT security frameworks, and by using scores for each sub-processes, the user could generate a “most-effective” or “most-cost-effective” information assurance plan.