What Is Information Assurance?
Information assurance (IA) is the buzzword borrowed from government circles for what used to be called information security. The word "assurance" is supposed to emphasize the increasingly accepted principle that "Security is a process, not a product." 1 Security results from continual attention to a shifting technical infrastructure, changing vulnerabilities, and new threats.
What do we protect in IA? Some security experts still speak of the "classic triad" of confidentiality, integrity, and availability, but many of us include three other elements: control or possession, authenticity, and utility. 2 This Parkerian Hexad (named for Donn Parker, a founding father of this field) covers all attributes of information using atomic and nonoverlapping definitions of informational attributes.
What Is the Global Context for IA?
U.S. Presidential Decision Directive 63 (PDD-63) states,
It has long been the policy of the United States to assure the continuity and viability of critical infrastructures. I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.
In January 2000, President Clinton asserted: 3
In less than one generation, the information revolution and the introduction of the computer into virtually every dimension of our society has changed how our economy works, how we provide for our national security, and how we structure our everyday lives. Yet this new age of promise carries within it peril. All computer-driven systems are vulnerable to intrusion and destruction. A concerted attack on the computers of any one of our key economic sectors or governmental agencies could have catastrophic affects. We know the threat is real.
Is There a Need for IA Professionals?
The demand for a cadre of professionals with IA expertise in various disciplines is outstripping the global capacity for producing credentialed graduates. 4 Industry observers concur that despite the recent downturn in information technology hiring, "Analysts say expertise in network security, particularly as it relates to spam and wireless technology, also will become important. [David] Foote, 5 who tracks pay rates for specific skills and specialties, says now is the time for people to jump into the security field." 6 Foote is quoted as saying,
Our research has shown pay for information security and security jobs, skills and certifications have been above average for two years straight. The writing is on the wall: If you're not in that business, you might want to point your career toward that. ... Security hasn't been a sexy place to work. It hasn't been funded very well. But clearly when the smoke clears it will be funded, and it will be funded well.
The SAGE Special Technical Group of the USENIX Association studies salaries of system and security administrators in collaboration with SANS (SysAdmin, Audit, Network, Security) Institute and Sun MicroSystems' BigAdmin user group. One of the findings in the 2002 report that will particularly interest scientists is that baccalaureate, master's, and doctoral degrees have significant effects on average salary among respondents in the system and network administration field.
For example, respondents with "relevant" postgraduate education (p. 39, registration required) reported salaries about 7% higher than average for holders of master's degrees and about 13% higher than average for holders of doctorates. Results for those reporting "security" in their job title (p. 43, registration required) showed a range of salaries between about $66,000 and $82,000 depending on years of experience.
What Are the Challenges We Face in IA?
Some of the problems IA professionals struggle with are rooted in technological inadequacies; however, much of our work involves human factors. Here are some of the key areas of concern: 7
Policy, power, and position: Policies are missing, obsolete or incomplete; staffing is inadequate; employees have responsibility without authority.
Training and awareness: Employees are unaware of tricks used by criminals to extract access codes; lack of reinforcement due to low frequency of security incidents leads to extinction of defensive behavior.
Hiring, management, and firing: Many computer-related crimes involve employees or ex-employees.
System administration: Due diligence in protecting information assets is required in today's legal and regulatory environment.
Establishing effective security configurations: Network topology, firewall configuration, and workstation protection all play crucial roles in safeguarding our systems.
Maintaining software: Because new attacks on new (or old) vulnerabilities are a fact of life, software patches and upgrades must be systematically evaluated and implemented.
Detecting security breaches: No system is perfectly secure; every system must have sensors to detect deliberate breaches or accidental failures.
Responding intelligently: Without organization and practice, security breaches can become disasters.
Using independent security evaluations: New international standards allow increasingly thorough verification of system security.
What Do Employers Want?
As program director and curriculum designer of the Master of Science in Information Assurance ( MSIA) at Norwich University in Northfield, Vermont, I performed research and interviewed security professionals as I was designing the program in 2002. My conclusions were that our graduates should be prepared to discuss IA and security as peers with fellow security professionals in industry, government, military, and academic environments. They would have integrated a thoroughgoing commitment to a multidisciplinary perspective on IA, fully aware at all times that technology must be integrated with human factors for success in defending information resources.
IA specialists should address the evolving nature of the social fabric of their country and of this planet as it becomes more cyber-Internet-electronically based. IA professionals need to understand both the critical technical underpinnings that come from this type of electronic environment and exactly how to defend and protect critical information infrastructure. They should support individual privacy rights and understand how privacy rights are affected by the increasingly interconnected banks of information about individuals and our activities and interests. As we become a global village for business, IA professionals should be able to cope with differing perspectives on information security and with a set of ethical decision-making principles for deciding how best to implement IA in various environments.
For More Details on Careers in Information Assurance
The author has prepared a document with FAQs about careers in IA plus an extensive list of print and online resources, available for download (PDF format). This resource includes detailed appendices with books for beginners and advanced readers, online and electronic materials, live educational training courses, professional and educational organizations in the field (including international organizations), certifications, conferences, and major academic programs in the United States, Canada, Europe, and Australia.
M. E. Kabay, Ph.D., CISSP, is associate professor of information assurance and program director of the MSIA and BSIA programs in the Division of Business and Management at Norwich University in Northfield, Vermont.
1 This view has been articulated particularly well by famed cryptographer and security evangelist Bruce Schneier; see for example "The Process of Security," his Cryptorhythms column for April 2000 in Information Security Magazine at http://infosecuritymag.techtarget.com/articles/april00/columns_cryptorhythms.shtml
2 D. B. Parker, Fighting Computer Crime: A New Framework for Protecting Information (John Wiley & Sons, New York, 1998). ISBN 0-471-16378-3. xv + 500 pp; index.
3 W. J. Clinton, National Plan for Information Systems Protection (2000). http://www.fitug.de/news/newsticker/old/2000/newsticker080100183647.html
4 See for example the U.S. House of Representatives Report 107-355 Part 1: Cyber Security Research and Development Act, §II (Background and Need for Legislation). http://thomas.loc.gov/cgi-bin/cpquery/0?&&dbname=cp107&&&r_n=hr355p1.107&&sel=DOC&
5 President and chief research officer at Foote Partners, http://www.footepartners.com/
6 J. Mears, Cautious growth: As IT hiring slowly increases, employers seek security, Web services, Linux and business skills. NetworkWorldFusion, 16 February 2004. http://napps.nwfusion.com/careers/2004/0216man.html
7 This section is a summary of a longer paper. For more details, see M. E. Kabay, What's important for information security: A manager's guide (2004). http://www2.norwich.edu/mkabay/infosecmgmt/mgrguidesec.pdf