When we talk about awareness, or security awareness, we usually mean the consciousness for general concerns of information security. Hence, awareness is not only about cryptology, e.g. the encryption of confidential data, but also about a much broader topic. The following figure aims to illustrate this fact:
The measures of IT security include (besides cryptology methods) e.g. security organisation, legal aspects, security monitoring, anti virus measures, patch management, disaster recovery, business continuity, security architectures and awareness for IT security. A good overview of these measures can be found at NIST or at the German information security agency (BSI).
Risk management extents the scope of IT security and also covers the socially desirable protection of critical infrastructures.
Risk management can be defined as the consciously management of risks. This can include general operational risks or specific financial risks. Companies, organisations and individuals must deal with all sorts of risks within living memory. The origin of a systematic risk management is based in the financial industry. Today several laws contribute and aim to provide financial control and transparency for corporations (e.g. Sarbanes-Oxley Act, or Basel II).
The total risk of a company can be divided into operational risks (e.g. breakdown or limitations of IT systems) or all sorts of financial risks (credit risks, liquidity risks, market risks, liability risks etc.).
Several approaches exist to identify, measure, monitor and control risks.
Risk management does not necessarily aim at complete risk prevention. Instead it tries to identify appropriate actions under a cost and benefit perspective (appropriate measures could also include the insurance of certain risks).
A basic understanding of cryptology is necessary to take appropriate measures and controls in order to achieve the objectives of IT security (authentication, confidentiality, integrity, non-repudiation) with an optimal cost-value ratio. The following figure illustrates how Cryptool can contribute to the understanding of security awareness in this context:
Standardisation and Management Visibility of Cryptology
Besides the previous classifications originated from a technical and risk management perspective, key areas of cryptology can be structured in the 5 components: algorithms, protocols, key management, organisational best practice and regulatory requirements. These main components are characterised by very different positions in terms of grade of standardisation, corporate/management visibility and scientific focus.
Algorithms and related mathematic functions are the foundation of cryptology. Algorithms such as AES, 3DES or RSA are highly standardised and are subject of cryptology and related mathematics research.
Protocols use algorithms. They are used to protect data transfer between communication partners and are therefore the inevitable enabler of the commercial use of electronic communication. Typical security protocols include TLS, SSL or IPsec. These protocols are also highly standardised and are well known by many users because of their widespread implementation in intranet and internet communication.
An important part of cryptology is the management of encryption and decryption keys, the so called key management. Because most algorithms and protocols are based on keys, key management and storage is essential. A number of standards exist in the area of key managements such as ISO, PKIX or XKMS.
Best Practice Implementation
A fundamental aspect, especially from a corporate perspective is the implementation of cryptology, both organisational and technically. Derived from risk management, appropriate mechanisms of IT security have to be implemented, which often results in the implementation of cryptology methods. In this context cryptology has to be often implemented in heterogeneous IT landscapes and to protect information processed with frequently changing technologies.
Regulatory requirements are set by the legislator and the corporations have to meet these requirements as they are required by law. With regards to the area of cryptology it is important to establish common standards in order to protect electronic data exchange. Additionally legal certainty, meaning the predictability of legal decisions is necessary to lawfully safeguard electronic communication secured by cryptology (e.g. digital signatures).