Being simple is complicated
(Être simple, c’est compliqué)
Advances in Information Systems Set
coordinated by
Camille Rosenthal-Sabroux
Volume 10
First published 2018 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:
ISTE Ltd
27-37 St George’s Road
London SW19 4EU
UK
www.iste.co.uk
John Wiley & Sons, Inc.
111 River Street
Hoboken, NJ 07030
USA
www.wiley.com
© ISTE Ltd 2018
The rights of Pierre-Emmanuel Arduin to be identified as the author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988.
Library of Congress Control Number: 2017963958
British Library Cataloguing-in-Publication Data
A CIP record for this book is available from the British Library
ISBN 978-1-84821-972-4
Figure 1. A Hollerith punch card in 1890
Figure I.1. Example of a successful Carbanak phishing e-mail accompanied by a compressed configuration file in .rar format
Figure 1.1. Artifacts supporting an information system in the second Century BCE
Figure 1.2. Artifacts supporting the Roman army’s information system in the first Century
Figure 1.3. Chappe’s Telegraph, an artifact supporting the information system of the French State in the 19th Century
Figure 1.4. “Correspondence Cinéma – Phono – Télégraphique”: artifacts supporting an information system in the year 2000, as seen in 1910 by Villemard
Figure 1.5. First page of the August 30, 1890 Scientific American showing how the artifacts supporting an information system made it possible to reduce processing time
Figure 1.6. Control console of the LEO I in 1953. For the first time, a computer system supported an information system in a business
Figure 1.7. Audio and video interface with screen sharing in 1968, confusion developed between “computer system” and “information system”
Figure 1.8. a) The ARPANET in 1977 and b) the Internet in 2015
Figure 2.1. Sense-giving and sense-reading constitute tacit knowing, the basic structure of the knowledge transfer
Figure 2.2. Knowledge is tacit: this formula, although explicit, is useless for the cyclist. Moreover, for someone who does not grasp its meaning, which is tacit, this remains uncomprehended
Figure 2.3. The transfer of tacit knowledge
Figure 2.4. The different types of interpretative frameworks: intrusion or non-intrusion into the environment, which is judged analyzable or non-analyzable
Figure 2.5. a) Weak and b) strong commensurability of interpretative frameworks
Figure 2.6. Commensurability in mathematics: here a = 2u and b = 3u, a/b = 2/3 is a rational number, a and b are therefore commensurable
Figure 2.7. A representation of the solar system according to Aristotle, extract from the Cosmographicus liber of Petrus Apianus in 1524
Figure 2.8. Mendeleev’s table, the periodic classification of elements, in 1869
Figure 2.9. A communication breakdown: the two people link terms to nature differently. For example here when A ≠ B
Figure 2.10. Mental models are internal representations of external reality at the root of reasoning, decisionmaking and behavior
Figure 2.11. Using the flow of water to explain electrical currents, an example of copying an existing mental model to explain an unknown domain
Figure 3.1. Taxonomy of threats aimed at the security of information systems
Figure 3.2. Two dimensions and three categories of insider threats
Figure 4.1. a) Phishing and b) spear phishing: the insider threat can be unintentional in the absence of awareness
Figure 4.2. A seemingly harmless e-mail
Figure 4.3. A web page simulating a Microsoft Windows error screen
Figure 5.1. Workarounds: an adjustment between constraints on the ground (bottom-up) and strategic pressures (top-down)
Figure 5.2. A caricatural workaround showing the innovation and risk aspects
Figure 5.3. The fragile balance of security when the threat is internal, intentional and non-malicious: workarounds
Figure 6.1. The Security Pacific National Bank building in 1971
Figure 6.2. Straub–Welke’s security action cycle
Figure 6.3. a) A deterrent public health poster in 1942 b) and an information systems security deterrent poster in 2003
Figure 6.4. Point between a fully malicious employee (right), fully non-malicious employee (left) and one likely to use neutralization techniques (center)
Figure 6.5. Ease of deterring a violation of the information system security policy when the threat is internal, intentional and malicious
Scenario 4.1. What is your employee number?
Scenario 4.2. Are you there?
Scenario 4.3. Set it on the doorstep, thank you
Scenario 4.4. It’s for the vice-president
Scenario 6.1. The Post-it in the transfer room
Information is the basis of all interactions between two beings endowed with intelligence: from chemical variations between cells to the exchange of electronic signals between machines, information has been exchanged since the beginning of time. An attentive reader will question whether cells and machines are really endowed with intelligence, but what is intelligence if not our capacity to link ideas with each other? The word “intelligence” is in fact made up of the Latin suffix inter- meaning “between” and the stem ligare meaning “to link”. Information and intelligence thus seem to converge toward this idea of linking, for any kind of being, through exchange of information, or ideas, through intelligence.
Language follows this path and so does writing: both support the exchange of information in an information system. An information system can be seen as a group of digital and human resources organized in order to process, spread and store information [REI 02]. In Europe, the Church had a strong hold on writing but, due to increasing commercial activity during the 11th and 12th Centuries, writing became more widely established and was integrated into the management of businesses and the sharing of information as a source of knowledge. In the 15th Century, Gutenberg sped up the diffusion of information by inventing the printing press. This first breakthrough was followed, at the end of the 19th Century, by another innovation when Hollerith, with the Tabulating Machine Company, did not speed up the diffusion but rather the processing of information. In order to help with the census of the U.S. population in 1890, he proposed coding information regarding each U.S. citizen on punch cards before processing them (Figure 1). Thus, information becoming processed automatically lead to the birth of computer science. At the beginning of the 20th Century, the Tabulating Machine Company became the International Business Machines Corporation: IBM.
The massive computerization of information systems during the second half of the 20th Century led the countries engaged in this process to reflect on the ethics and security of these systems. Indeed, Hollerith’s tabulating machines would have allowed the Nazi regime to take an inventory of thousands of people and thus facilitate their deportation. In 1974 in France, the Système Automatisé pour les Fichiers Administratifs and Répertoire des Individus (SAFARI) project aroused strong emotions among the public when the Ministry of the Interior wanted to create a centralized database of the population with all administration and banking files. In response to this controversial initiative, the French Data Protection Authority (CNIL) was created in 1978 in order to define a framework for computer science to be “in the service of each citizen” and so that it “undermines neither human identity, nor human rights, neither private life, nor individual or public freedoms” [RÉP 78]. In the United States, the construction of models allowing designers to gain “trust” has even been tried [TCS 85]. The General Data Protection Regulation (GDPR) of 2016 is also a regulation and control initiative concerning the use of personal data.
For some people, computer science can represent a flaw in the security of information systems insofar as it processes information automatically. In addition, the security of information systems has often been looked at by focusing on artifacts, computer science and technologies. This book is meant to be timeless, just as relevant to the 19th Century as to the 21st Century; its ambition is to change this paradigm and take an interest in the security of information systems by considering individuals as components in their own right. Indeed, they are susceptible, just like a computer or any artifact, to constitute an insider threat to the information system’s security.
Pierre-Emmanuel ARDUIN
January 2018