sealPurdue News
____

August 1998

New center takes team approach to
tackle information security

WEST LAFAYETTE, Ind. -- Purdue University computer expert Gene Spafford says information security is too important to leave solely to scientists and technicians.

Download Photo Here
Photo caption below
"It takes more than an architect to construct a solid building, and it requires more than computer expertise to secure information," Spafford says.

He is following that philosophy as founder of a multidisciplinary center that is the first in the world to take a comprehensive approach to network and computer security. The center includes researchers from sociology, psychology, criminology, political science, ethics, management and economics.

The new center, named CERIAS (pronounced "serious"), will address issues related to information security from all those perspectives, Spafford says. CERIAS stands for Center for Education and Research in Information Assurance and Security.

"The public perception of information security is shaped by sensationalism such as computer virus scares and stories of teen-agers breaking into sensitive military systems," Spafford says. "But information and computing security is much more complex than that. It can include aspects of economic and international espionage, sabotage, terrorist activities, vandalism and other forms of crime."

Purdue, so far, is the only university to offer formal training to address these issues in a comprehensive manner.

Information assurance and security includes computer security, but it also addresses a much wider range of important issues, Spafford says.

"Issues such as network security, communications security, disaster recovery, investigation of computer crime, employee training and supervision, and protection against defective software also must be addressed," he says.

Current efforts to secure information generally rely upon computer security measures, which focus only on protecting information within a single computer system, Spafford says.

"However, the major value to organizations is in the data processed on the computer and not the computer itself," he says. "Disclosure, loss or alteration of the data, as a result of accident or malicious activity, is the problem."

The Purdue center will focus on finding ways to protect information that flows through computers in all its various forms -- whether on network cable, disks, faxes, or a phone call, Spafford says.

The center will work with researchers in industry, government and other academic institutions around the world, and it will provide training opportunities for both undergraduate and graduate students.

Recent reports, including testimony before Congress on the fragile state of the Internet, have served to underscore the need for increased training and research in information security topics, Spafford says.

"These needs are only going to expand in the coming years as we deploy more information resources and as the use of wide-area computer networks continues to spread," he says. "Our increasing reliance on new and often fragile technologies for use in critical applications presents attractive targets to criminals, vandals and foreign adversaries."

Spafford, who has helped track computer break-ins worldwide, is an expert on computer and network security and computer crime. He is the co-author or contributing editor of four books, including "Computer Crime: A Crime-Fighters Handbook" and "Web Security and Commerce," and he is a frequent speaker at academic, industrial and government conferences on information security and computer crime.

To create a more secure environment, educators must push beyond technical knowledge and provide a comprehensive view of computer use so that students and future users are familiar with the many ways in which computers can be used and abused, Spafford says.

"Today's students will design the information technologies of the future, yet the majority of them receive no training in information security," he says. "There are few institutions ready to train people to deal with the multiple issues, and none that takes a broad view of the problems involved."

Michael Stohl, dean of international programs and professor of political science at Purdue, is one of about 20 faculty members from eight Purdue departments already associated with the center. His expertise in terrorism and international relations will be tapped to help train others on the threat to security that is posed by political terrorists.

"I can bring a perspective involving threat assessment that is complementary to those who approach the subject from a purely technical side," he says. "Knowledge of potential enemies is important in making decisions as to how to protect something."

Alok Chaturvedi, a professor of management information systems in Purdue's Krannert Graduate School of Management, will use a computer-simulated "war game" that he, another Purdue professor and the Institute for Defense Analyses created to help students and senior government officials simulate the economic and management consequences of cyberterrorism.

Chaturvedi says the human interaction between the players of the game helps make the simulation unpredictable.

"Using this program, students can see the consequences of compromised systems unfold in front of their eyes in real time," Chaturvedi says. "For example, we can simulate scenarios that show what would happen if computer terrorists attacked the New York Stock Exchange, or if the air traffic control or telecommunications systems are compromised."

Chaturvedi and Spafford say a classroom exercise such as this will help better prepare students to cope with all the various issues involved in information security because it allows them to experience the consequences first-hand.

"As the world becomes more interlinked, security becomes a major issue, and businesses and organizations become more vulnerable to organized crimes," Chaturvedi says. "I can't think of a more hands-on way to let students or other participants experience the economic or political consequences of a compromised system without actually taking the risk."

CERIAS is an expansion of several widely recognized programs currently in place at Purdue, including the COAST laboratory, which was established by Spafford in 1992 to meet the growing need for research and education in the information security arena. Research tools and educational materials from COAST have been used by government agencies, businesses and academic institutions worldwide and have been hailed as models for their usefulness. The COAST laboratory will work as a partner with the new center.

The new center is funded by Purdue. More information on CERIAS is available at the center's Web site: http://www.cerias.purdue.edu/

Sources: Eugene Spafford, (765) 494-7825; e-mail, spaf@purdue.edu;
Web, http://www.cerias.purdue.edu

Michael S. Stohl, (765) 494-9399; e-mail, mstohl@ippu.purdue.edu

Alok Chaturvedi (765) 494-9048; e-mail, alok@mgmt.purdue.edu

Writer: Susan Gaidos, (765) 494-2081; e-mail, susan_gaidos@purdue.edu

Purdue News Service: (765) 494-2096; e-mail, purduenews@purdue.edu

PHOTO CAPTION:
Purdue Professor Eugene Spafford is director of a new multidisciplinary center designed to tackle issues related to information security from a number of perspectives. (Purdue News Service photo by David Umberger)
Color photo, electronic transmission, and Web and ftp download available. Photo ID: Spafford.CERIAS
Download Photo Here


* To the Purdue News and Photos Page