Page 152 - Trust in ICT 2017
P. 152
2 Trust in ICT
There is also the problem of legal ownership of the data. Many terms of service agreements are silent on the
question of ownership. Physical control of the personal computer equipment (that is private cloud) is more
secure than having the equipment offsite and under someone else's control (that is public cloud).
Fundamentally, the private cloud is being seen as more secure with a higher level of control; however, the
public cloud is being considered to be more flexible and requires less time and money investments from
users. Public cloud computing service providers have great incentive to prioritize building and maintain a
strong management of secure data. Some small businesses that do not have expertise in IT security could
find it more secure to use a public cloud.
Risk identification, protection, and management
It is very difficult to prevent risks that people have not identified beforehand. Knowledge societies seem well
protected than ever to undertake such a task. The information and technological revolution are indisputably
a great advantage for researchers who have access to a vast amount of resources. Such proliferation may
make it difficult to identify and manage risks. The knowledge-based process like big data analytics may be
emerging to expose risks from the undifferentiated flows of available data.
As a matter of fact, risk identification is a matter of good governance. Information is of no value if people are
unable to gather and use it. Risk identification requires the efficient activity of data analytics whose technical
and scientific abilities must be recognized by the public and private decision-making entities. Risk
identification has the priority to ensure that key information is passed up to the highest decision-making
levels, in particular in cases of hacking or natural disasters. In order to handle risks, the relevant risk
management system should report the incident quickly to the decision-makers. The precautionary principle
on risk is to recommend a proactive approach.
The monitoring of the predefined risks can also be set up both at the domestic and international levels. In
the war against terrorism, knowledge on risks becomes a strategic resource. Governments may monitor
contents, identify access points, and block websites to avoid potential risks. To restrict illegal contents, the
sophisticated surveillance techniques can be developed.
Risk management takes information feeds from one or more sources that detect deviations, defects, or other
patterns from security or business applications. This can include active sensor technologies to protect,
monitor, and manage information networks and systems. For risk management, it is important to bear in
mind the prevention of risks. Sufficient countermeasures are required rather than excessive, unnecessary,
and pointless measures. Sometimes, the good intentions of risk management become wasteful expenditure
or impediments to growth, innovation, and opportunity for ICT markets. By combining information and
communication technologies such as web-based information security management systems, the defences
against cyberattacks are enhanced in real time. The information and communication technologies for risk
protection and management include [40]:
– host-based intrusion detection, vulnerability assessment, configuration and policy compliance,
database logs, website logs, and file accesses;
– hosts for penetration testing, e-mail scanning, and spam filters;
– network intrusion detection and prevention, netflow, and firewall/router/other network devices
logs;
– access and identity for successful or failed logins, new users, deleted users, privilege escalation, and
biometric identities;
– website vulnerability detection (cross-site scripting, structured query language (SQL) injection, etc.),
pages visited, and referred from;
– end-point monitoring such as permitted user activity, not permitted user activity, data
leakage monitoring, universal serial bus (USB) usage monitoring and reporting;
– anti-virus, anti-phishing, and malware detection;
– audit logs of activity, and audit log collection for operating systems, etc.
144