Professional Documents
Culture Documents
Study On The E-Government Security Risk Management: Zhitian Zhou, Congyang Hu
Study On The E-Government Security Risk Management: Zhitian Zhou, Congyang Hu
5, May 2008
Ji Jianyue, Wang Yuanyue described the development of 2. The E-Government Security Risks
e-government in our country. [11] They analyzed the
problems existing in the development of e-government in The development of e-government, which is based on
China, and proposed relevant development strategies. Du internet, meets fatal security problems due to the
Wenzhong and Ma Liping believed that security problems complexity and vulnerability of network. Generally
in e-government were inevitable after analyzing in security, speaking, the security risks e-government facing includes
benefits, and costs aspects. [12] They said e-government the following aspects:
security was a problem without standard answers; we must
avoid to build e-government in swarms. We should handle 2.1 Information Intercepting
the relationships of security, benefits, and costs with
It means that the related e-government users or invaders
consideration. Zhang Weihua introduced several problems
capture or steal the e-information from governments or
existing in the establishment of our country’s e-
other users.
government information security architecture. [13] Zhang
also presented some relationships we must pay attention to,
2.2 Information Tampering
and some core technological problems we must solve. Ren
Jinhua analyzed the status of network security in our The internet attackers tamper, insert or delete original data
country. [14]The present software and hardware through various technical methods, and transmit them to
technology level in our country is low, it seriously hamper the destination, in order to damage the integrality of the
the establishment of e-government security guarantee. In data.
his paper, he has done lots of detailed analysis on the
advantages and disadvantages of dominating network 2.3 Services Denying
security technologies currently, such as firewall
technology, intrusion detection technology, and security It is the complete invalidation of the network system or the
audit technology. servers system in some period. It mainly comes from the
attack of the hackers or the virus, and the man-made
Yan Qiang and Shu Huaying stated security risks which e- destruction of the devices as well.
government system faced from the angle of security risk
management. [15] Shen Changxiang discussed e- 2.4 System Resources Stealing
government information security guarantee system from
strategy angle. [16]The technical framework of security In the network system environment, the stealing of the
guarantee system has been divided into three levels and system resources is very common.
two centers. And he emphasized the importance of
security products with independent intellectual properties. 2.5 Information Faking
Wang Huanxi analyzed e-government information security
from the angle of law. [17] In Zhang Chongbin and Suo It means that after the attackers know the rules of the data
Yanfeng’s paper, [18] they have analyzed some in the network information or after they have decoded the
information security technologies at present, such as government information; they could pretend legal users or
isolating technology, intrusion detection technology and make false information to cheat other users. The main
so on. And they have proposed some relevant application forms include pretending users to get illegal certifications,
strategies. forging e-mails, etc.
210 IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.5, May 2008
The ultimate goal of threat analyzing is to calculate the 3.3 Risk Controlling
general risk probability. The factors influencing risk
probability include motivations and ability of threat source, Risk controlling is to choose and use some risk controlling
system vulnerabilities, and effect of relative security methods to guarantee the risk can be reduced to an
measures. Calculating risk probability is a course with acceptable level. Risk controlling is the most important
very strong subjectivity. There may be some history step in the risk management. It is the key factor to
records about natural threats, those records can help to determine whether the risk management is successful or
analyze the probability that natural threats happen. But we not. The goal of e-government security risk controlling is
are often lack of the history information about the to reduce the risk degree which e-government projects
technical and operational threats from people. To evaluate suffering.
probability of these kind threats, we can use analogy
method. However, actually it often depends on analyzers’ Generally speaking, there are two kinds of risk controlling
practical experience. We have proposed a simple method methods. First are risk controlling measures, such as risk
to describe the risk probability in three levels: high, reducing, avoiding, or transferring, and losses managing.
medium, and low. Table 3 shows the definitions of risk We often use risk transferring and losses managing in e-
probability. government security risk management.
Table 3 Definitions of Risk Probability Second kinds are measures funding for risk compensation,
which include insuring, or taking risk by oneself. In e-
Probability Description government security risk management, managers need to
High Threat source has high decide which measures to choose — insuring or taking
motivation and ability, risk by their own. In addition, to make a proper choice,
security measures are invalid. one should take risk costs into consideration. Of course,
Medium Threat source has some we can not ignore other influences, such as government's
motivation and ability, but reputations.
security measure have effect;
One effective and feasible risk controlling method for e-
or threat source does not have
government security is establishing a whole security plan
motivation; or it does not have
to reduce risk, mastering some basic technology for
obvious ability.
security guarantee, and preparing solutions that the
Low Threat source is lack of
government can adopt when specific security accidents
motivation and ability,
happen. We have designed a process of risk controlling
security measures can keep
which shown in Figure 1.
vulnerabilities from attacking
effectively.
Considering the importance of the security of e- For already chosen countermeasures, managers should
government, it is urgent to dispose a whole set of effective have a full evaluation of their potential risks. And draw up
countermeasures. The purpose of disposing the a relevant emergency plan in order to make the possible
countermeasures is to reduce the potential risks and risk losses minimum.
security bugs, so that we can reduce the risk which the e-
government system environment facing. There are no golden rules for risk management. For e-
government security risk management, the first step is to
Among the e-government risk management scan and detect internal and external environment of the e-
countermeasures, it is popular to use defense-in-depth government system, check the vulnerabilities and
strategy at present. Defense-in-depth strategy, exactly, is weaknesses of the system. Patch or append new devices
consisted of depth security and multi-level security. immediately in order to reduce the losses as much as
Through disposing multi-level security protection, we can possible while risks happen. Secondly, do a full analysis
guarantee that if one level got broken, other levels can still about the e-government security risk, and then make
ensure the security of e-government system resources. For relevant plans and measures. Track and monitor those
example, in case that the outer firewall of one unit got plans and measures in each implement stage. At last,
destroyed, by virtue of the inner firewall, the invader still adjust risk management measures at any time according to
can not get access to the sensitive data, neither commit any the environment changes, and draw up a whole disaster
damage to them. Ideally, each level supplies different recovery plan.
measures in order to avoid that the hackers can attack
different levels in the same way. We have put forward an Reference
effective defense-in-defense strategy which is shown in [1] Westerlind K. Evaluating. 2004. Return on
figure 2. Information Technology Investment. School of
Economics and Commercial Law. Gothethenburg
University.
[2] Theodosios Tsiakis, Stephanides G. 2005. The
Economic Approach of Information Security.
Computers & Security. No.24. 105-108.
[3] Lawrence A, Gordon, Martin, Ploeb. 2002. The
Economics of Information on Security Investment.
ACM Transactions on Information and System
Security Vol. 5 No. 4. 438-457.
[4] S. Griztalis, C. Lambrinoudakis. 2002. Security
Requirements of E-Government Services: an
Organizational Framework. Proceedings of the
International Conference on Parallel and Distributed
Processing Techniques and Applications. Las Vegas.
[5] Lambrinoudakis, Costas, Griztalis et al. 2003. Security
Requirements for E-Government Services: a
Methodological Approach for Developing a Common
PKI-Based. Security Policy Computer
Communications. No.26. 1873-1883.
[6] Leitold H, Hollosi A, Poseh R. 2002. Security
Architecture of the Austrian Citizen Card Concept.
Computer Security Applications Conference.
Figure 2 An Effective Defense-in-Depth Strategy Proceedings. 18th Annual. 9-13. 391-400.
[7] Wimmer M, Von Bredow B. 2002. A Holistic
Approach for Providing Security Solutions in E-
5. Conclusions
Government. System Sciences. HICSS. Proceedings
of the 35th Annual Hawaii International Conference.
Generally speaking, risk management has three basic
Hawaii: 7-10. 1715-1724.
countermeasures: (1) managers take some proper measures
IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.5, May 2008 213