You are not currently logged in.

Login through your institution for access.


Log in through your institution.

Managing Information Security Breaches

Managing Information Security Breaches: Studies from Real Life

Copyright Date: 2010
Published by: IT Governance Publishing
Pages: 184
Stable URL:
  • Cite this Item
  • Book Info
    Managing Information Security Breaches
    Book Description:

    Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses; major companies and government departments suffer from them as well. Managing Information Security Breaches sets out a strategic framework for handling this kind of emergency. It focuses on the treatment of severe breaches and on how to re-establish safety and security once the breach has occurred. These recommendations support the controls for the treatment of breaches specified under ISO27001:2005. The author uses cases he has investigated to illustrate the various causes of a breach, ranging from the chance theft of a laptop at an airport to more systematic forms of data theft by criminal networks or for purposes of industrial espionage. These cases studies enable an in-depth analysis of the situations companies face in real life, and contain valuable lessons your organisation can learn from when putting in place appropriate measures to prevent a breach. The actions you take in response to a data breach can have a significant impact on your company’s future. Michael Krausz explains what your top priorities should be the moment you realise a breach has occurred, making this book essential reading for IT managers and chief security officers.

    eISBN: 978-1-84928-095-2
    Subjects: Technology
    × Close Overlay

Table of Contents

Export Selected Citations
  1. Front Matter (pp. 2-4)
  2. FOREWORD (pp. 5-6)

    In 1992, a business acquaintance of mine introduced me to something he called ‘the ultimate book on information security’. It turned out to be a guide written by a retired NSA officer with a tendency to talk a little bit more than would probably have been allowed in the terms of the NDAs he had once signed. This, of course, was all the more appreciated by those listening to him. The book focused entirely on written information, and had originally been published in the late 80s or early 90s, a time when I started to use punch card paper as...

  3. ABOUT THE AUTHOR (pp. 8-8)
  5. Table of Contents (pp. 9-11)
  6. INTRODUCTION (pp. 12-13)

    Breaches of information security are not a new phenomenon, but the means of perpetrating such breaches have changed considerably over the years. Leaking information has always been an issue, but the speed and effectiveness with which breaches of information security can occur, and the potential magnitude of harm caused in today’s computer age, are disturbing and, moreover, typically favour the perpetrator, not the victim.

    Bearing in mind the dependency of modern companies on their IT systems, it is clear that special care needs to be taken to keep systems safe and secure. This book focuses solely on the aspects of...

  7. Part 1 General

      What is the real worth of the USB stick you just bought for £15? After a year, if you included it as a short-term cost item in your accounts, it would not be worth anything. On the other hand, if it contained all the latest data of your research project which was bound to pay off in a couple of years, then it would be worth pretty close to infinity or, at least, the future of your company.

      It is not easy to define risk or what taking a risk really means. Sometimes people try to use probabilities and ALEs...


      The best breach is, of course, the one that never happens. In order to achieve that, it is of paramount importance to get one’s risk profile right and to fully and thoroughly understand the risk situation of the company. The word ‘situation’ includes knowledge about threats, vulnerabilities, potential damage, likelihoods, business options for treatment and acceptable losses, all under the circumstances and business environment the company operates in for all its branches, subsidiaries and locations.

      We will describe two ways of understanding one’s risk profile: a rather intuitive one, to serve as a starting point yielding reasonable results, and a...

    • CHAPTER 3: WHAT IS A BREACH? (pp. 50-60)

      Defining what constitutes a breach of information is not easy. Does only criminal activity constitute a breach? Is it only the things we read and hear about in the media, (such as the Army ‘losing’ data,) or does everything that causes damage count as a breach? These are practical questions, even though they may sound strange at first.

      When establishing the roles, responsibilities, processes and technologies required in a company to ensure information security, these questions can be answered with ease at the technical level. They start to become more complex once the differing views of affected departments come to...


      As already mentioned, this book deals only with severe incidents, referred to as ‘breaches’ and with breaches in the strict sense of the word, meaning that damage toconfidentiality,availabilityorintegrityof information has actually occurred, or is bound to occur, if mitigation of a risk does not set in immediately. In the case studies, we will mainly describe severe breaches of confidentiality (most common), followed by availability problems of such magnitude that one could call these breaches, and then just a few integrity breaches. Breaches of integrity are not so common when sticking close to our definition, as...

  8. Part 2 Case studies
    • CHAPTER 5: NOTES FROM THE FIELD (pp. 97-100)

      This chapter will present some of the substantial differences that exist between a police investigation and a private one, as one or the other usually follows a breach. It seems necessary to point out these differences, to provide the reader with a better understanding of the available options.

      Strange as it may sound, you should carefully weigh the risk of your situation getting more publicity than you wish for, if you report it to the authorities. If your case is high profile enough, either due to the nature of the breach (such as 100 million credit card records stolen) or...

    • CHAPTER 6: MOTIVES AND REASONS (pp. 101-106)

      Breaches do not just happen. Breaches are committed. They are committed by determined people and facilitated by a lack of measures in one of the areas introduced inPart 1(people, processes and technology). In this chapter, we will be taking a detailed look into the motives of people who have committed breaches, and into the basic reasons why they were able to succeed. An in-depth analysis of the author’s archives has shown that all motives can be narrowed down to four basic ones, all of them very, very human: greed, despair, a disgruntled employee seeking revenge and too lazy...


      The following chapters present case studies of information security breaches from all sectors of the economy, arranged by the size of the company affected.

      Names and places have been changed to protect the identity of the victims.

      The stories have been slightly dramatised to make them more readable, but all essential facts have remained unaltered, and took place as described.

      The case studies contain a description of the events, followed by an in-depth explanation, and a separate section on lessons learned, where applicable.

      All was well at Peter B’s computer repair shop, in this city of 2 million inhabitants, somewhere...


      This case is not for the faint of heart, as it illustrates some of the rougher aspects of corporate life today.

      Four medium-sized, highly regarded companies decided to join forces and brands, and combine one aspect of their activities into a new company and, thereby, a new brand. That company, henceforth called X, was established and one managing director (Y) was given full, sole decision power on all business aspects. He was given an assistant, leased to company X by one of the parent companies.

      At first, all went well, and company X performed well.Suddenly, however, managing director Y developed...


      There’s a company which does 100% of its business online. It specialises in providing online services, so its IT systems and their security are of considerable importance. As any big company (4,000+ employees, several sites and branches worldwide) would do, they have a PR department that also follows up on Internet gossip, on what is going on in the chat rooms provided by the company, and in relevant online forums. This turned out to be a very wise move as, one lovely July day, a message popped up in one of these forums, which froze the blood of the head...

  9. Part 3 A Sample Treatment Process

      In this part, we will present a treatment process for dealing with a breach. This process is intended for larger companies.

      It comprises the major steps below.

      1 Gather information.

      2 Determine extent and damage.

      3 Establish and conduct investigation.

      4 Determine mitigation (in parallel with Step 3).

      5 Implement mitigation.

      6 Follow up on investigation results.

      7 Determine degree of resolution achieved.

      Now let us look at these steps in detail.

      This is the initial step. We assume that you have just been made aware of the fact that something might be wrong.

      You will spend the next hours...

  11. ITG RESOURCES (pp. 182-184)