What is information systems security

IT security

IT security aspects

IT security is not a static, but a dynamic object that follows technical developments. In the days of fewer mainframes that were operated exclusively by experts, IT security hardly played a role and was focused on the physical protection of access to the system. With the increasing degree of electronic representation, networking and control of real processes in information systems, the scope of the term “IT security” expands and thus also influences the type of necessary and available security mechanisms.

IT security has different aspects: In concrete terms, it is important to systematically clarify what is to be protected from what, which threats exist and which security gaps and weak points can be used to carry out attacks. The definition of security requirements for an information system and the decision in which framework protective mechanisms are used are the subject of IT security management.

Protection goals and threats

To answer the question of what needs to be protected, protection goals are defined in IT security. Essentially, these are the three protection goals of "confidentiality", "integrity" and "availability": confidentiality The aim of confidentiality is to hide information and resources (e.g. documents, production data, communication) from unauthorized persons. Keeping confidential information confidential is a key concern for government institutions, companies and private individuals. integrity Integrity, on the other hand, focuses on the integrity of information and resources and aims to protect them from unauthorized changes. Availability of information and resources should be guaranteed so that every participant can use an information system as required.

Threats are also very diverse and always there. Threats are understood to be circumstances or events which in principle violate the protection goals of IT security and can lead to damage. The Federal Office for Information Security (BSI) cites as examples of threats force majeure, human error, technical failure or deliberate actions [BSI 08].

Weak points

Weak points in information systems are possible starting points for attacks that lead to the desired protection goals not being achieved. The causes of weak points are manifold, so incorrect programming, wrong system design, insufficient attention to security requirements and much more can be the reason for weak points. The identification of weak points is therefore of great importance in IT security. According to the various possible causes, there is a multitude of methods for this, which can be divided into collecting, creativity and analytical methods based on their approach (for more detailed information, see e.g. [Bishop and Bishop 05]). As a first approximation it can be stated that the effort of identification increases with the achievable completeness of the identification. A complete identification of all weak points in an information system is difficult - if at all - to be achieved. Thus, one hundred percent security is mostly an illusion and there is an inherent residual risk.


However, a threat only arises when a vulnerability encounters a threat and this can be exploited for an attack. A special focus when considering attacks is on targeted attacks via networked information systems. The most important representatives here are viruses, worms, Trojans, denial of service attacks and spoofing. Viruses are programs or program code that require a "host", for example an e-mail, in order to be distributed. As the host spreads, the virus also spreads between information systems. The affected information systems are then usually "infected" by replication of the virus and damaged due to damage functions. Also worms contain such a reproductive mechanism, but are themselves active in terms of their spread. By exploiting vulnerabilities, they copy themselves from system to system. Another variant are so-called Trojans, which are installed by users as useful programs and which also carry out malicious functions covertly. Trojans usually open "back doors" and thus make it possible to reload additional program code (universal Trojans) or to generate further Trojans (transitive Trojans). This makes it possible, for example, to gain access to the entire attacked system or to record the entry of passwords and transmit them unnoticed to the (mostly criminal) origin. So-called are more geared towards an attack of the availability Denial of service attacks. These try to bring a service to a standstill, for example through an overload due to countless calls. At the Spoofing an attempt is made to fake a foreign identity through deception. This can e.g. B. can be achieved by falsifying the IP sender address of a data packet or by redirecting a page request to a wrong website. Such attacks, as they are especially known in the field of online banking, are also known as Phishing designated. In addition, there are other forms of attack and combinations, such as B. Trojan worms.

Protection mechanisms

To defend against many known attacks, protective mechanisms are available that either try to achieve confidentiality and integrity by transforming the content (encryption) or to prevent unauthorized access to information or resources. The basis for guaranteeing confidentiality, integrity and also the accountability of information is the Cryptography and the mechanisms based on this for encrypting content or the creation and verification of digital signatures (further literature on this is, for example, [Eckert 07]). A second class of protection mechanisms are preventive programs such as Antivirus programs (on access scanner), which detect known computer viruses, worms and Trojans and prevent their execution. For this purpose, the entire network traffic as well as read and write accesses are usually checked for known viruses in the background and an attempt is made to prevent an infection of an information system. Since this is not always successful and depends on the currentness and completeness of the virus lists on which it is based, so-called Malware programs (on demand scanner) available. These search hard drives for Trojans or other malware, for example, and try to remove them.

Despite these and other protective mechanisms, not all attacks can be completely averted from a technical point of view. On the one hand, the protection of individual protective mechanisms is usually never complete, but rather increased, e.g. by encrypting data, only the costs and the time required for an attacker to exploit a vulnerability. The underlying attacker model is therefore of particular importance for the assessment of protective mechanisms. If one assumes an omnipotent or omnipotent attacker who has access to all information, it becomes impossible to achieve the protection goals. Even with other attacker models (e.g. "man in the middle"), complete security is usually not given. On the other hand, there are attacks for which no technical protection mechanisms are available, such as phishing attacks in online banking. Such attacks therefore also require organizational measures and the “common sense” of the user in order to be able to ward off them. It remains to be seen that an inherent residual risk also remains with regard to the effectiveness of technical protective mechanisms.

IT security management

IT security is not just a question of discovering weak points and defending against attacks in individual cases. The protection of information systems usually requires taking different measures, the simultaneous use of several protective mechanisms and constant adaptation of the measures to changes and current circumstances. IT security is therefore not a static state but a process. Controlling this process is the task of IT security management, which in value-oriented companies should align its goals with IT risk management.

The basis for IT security management is a security concept on a strategic level that defines the security goals of a company and the relevant framework conditions such as B. the structure of a security infrastructure and a risk management defined. Based on this, security measures are ideally planned company-wide. A starting point for this is, for example, the IT baseline protection catalogs of the Federal Office for Information Security (BSI), which, however, usually have to be adapted and supplemented specifically for the company. It is therefore essential for IT security management, based on a threat and vulnerability analysis, to evaluate the contribution to the target for available security measures, to decide on their implementation, to carry out their implementation at the operational level and to monitor their effectiveness. This procedure corresponds to the PDCA approach (Plan-Do-Check-Act) common with quality standards and is also used, for example, in the widely used ISO / IEC 27001 standard for information security management systems.

For IT security management geared towards corporate goals, the economic evaluation of security measures is a central challenge. While the costs are usually easy to determine, the "benefits" are difficult to determine. In practice, simple key figures (e.g. ROSI (Return on Security Investment)) are calculated to assess the advantages of investments in IT security mechanisms, but these are of limited value. In addition, there are other approaches which, through their integration into risk management and the calculation of the achievable risk reduction, lead to better results - albeit with greater effort in data collection and calculation (an overview can be found in [Prokein 07], for example). However, it turns out that it is less a lack of methods that prevents an economic assessment of IT security measures than a reliable database.

The current development of future information systems, for example towards service-oriented architectures, progressive networking to cross-company business processes or the decentralization and virtualization of the IT infrastructure will pose new challenges for the management of IT security: On the one hand, new security concepts are required that go beyond a pure Access control also enables usage control of information systems, for example to meet increasing requirements from the area of ​​compliance. On the other hand, new methods for evaluating IT security measures are required, which also allow the increasingly complex and dynamically changing relationships between threats and their effects on company results to be taken into account. IT security is and will remain a "key" for the future of the information society and is likely to continue to gain in importance, both in theory and in practice.


Bishop, M. A .; Bishop, M .: Introduction to Computer Security, Addison-Wesley Longman, 2005.

BSI - Federal Office for Information Security: IT-Grundschutz, https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html (accessed on 08.09.2011).

Eckert, C .: IT Security: Concepts - Procedures - Protocols, 5th edition, Oldenbourg, 2007.

Müller, G .; Rannenberg, K .: Multilateral Security in Communications, Addison-Wesley, 1999.

Prokein, O .: IT risk management: identification, quantification and economic control, Deutscher Universitätsverlag, 2008.




Dr. Stefan Sackmann, University of Freiburg, Institute for Computer Science and Society, Friedrichstr. 50, 79098 Freiburg i.Br.

Author info

Item Actions