Integrating Case Studies into Information Security Education

Abstract

Today the demand is growing for information security experts capable ofanalyzing problems and making decisions in business situations thatinvolve risk or uncertainty. These skills can be acquired throughsystematic studying of various information security incidents. In thispaper we propose a framework of methods, tools and taxonomies foranalysis of case studies in information security field. Our frameworkallows to study every situation in a formal rather than ad-hoc way, andapply a wide range of threat modeling, risk analysis and projectmanagement techniques under lifelike conditions. We illustrate it byproviding two case studies based on real situations: a conflict betweena free email service provider and a commercial bank, and an attack on afamous security company by a powerful hacktivist group. The firstsituation explores the risks of using cloud services, while the secondhighlights the importance of applying secure code principles forin-house software development. Although the cases are seeminglydifferent, we demonstrate that they can be analyzed with similar tools.