A study of Object-Oriented Information Security Management Model 物件導向資訊保安管理模型的研究 FUNG, Pui-kwan, Peggy MPhil 2003 Abstract Information security of an organization, if properly managed, should be fully documented. It has been suggested that a security officer’s workbench, with its database and graphical representations, may present a more effective form of security documentation. However, such a tool requires a well-developed model of the information system security and a standardized means to represent security entities and relationships, particularly a directory-based classification scheme for security entities and relationships. This thesis proposed an information security model to facilitate the development of electronic security documentation. An X.500-like security entities classification scheme was proposed. This proposed model defines the structure and hierarchy of security relevant data. There are five main security classes in the proposed model; namely, Systems, Environment, Security, Procedures and Linkages. Each of the above classes has a number of subclasses and the whole set of classes can be described as a directory tree. Such a directorybased model facilitates the documentation and maintenance of security relevant data and its complex relationships. The potential use of the data and their complex linkages in this model was then explored. Linkages (Relationships) link up entities under same and different security classes. We termed the relationship between a Threat and a Security Entity as a “TE” relationship and that between an incident TE and a target TE as a “TETE” relationship. It was found that a threat acting on a System or Environment Entity (incident TE relationship) causes consequent threats, which in turn act on another System or Environment Entity (target TE relationship). With TE and TETE relationships, propagation of threats within the system to their consequential business impact can be traced automatically, and thus, a threat tree can be constructed automatically. Further the model was developed to assist in the formulation of effective defence via appropriate countermeasures. As countermeasures are not 100% effective, there may be some residual threats, and thus multiple countermeasures may be required for a security system. Linkages between incident threats and residual threats of countermeasures provide a better picture on the state of security of an organization. These linkages can be used to build a Threat Countermeasure Diagram (TCD) that describes the structure of the deployed root countermeasure and its subsequent countermeasures to guard against information security threats for an organization. A prototype was developed in Java to test whether this proposed model can facilitate the development of an electronic form of information security documentation. A typical scenario on automatic construction of Threat Tree and TCD was illustrated with examples. The potential use of this model in risk assessment was discussed.