The 45th Installment
“Considering Information Security”
by Yoichi Seto,
Professor, Master's Program of Information Systems Architecture
Considering Information Security
"Speed, speed, speed. The future will go on at a speed several-fold or dozens-fold higher than now. We will enter a new era where rising and falling take place much faster than we think. The inspiration of young people is generally correct. If you are inspired by something, delve deeper and deeper into it. If you reach a conclusion, you must have the courage to insist on it absolutely and repeatedly even with limited authority. I didn't have the courage."
These are not the words of an IT leader, but the words of Arata Oka (55 years old at that time), commander-in-chief of the Osaka Guard, Imperial Japanese Navy, on August 22, 1945. The words are very innovative even if heard today. It is important for each person to think deeply and act with conviction. This is an essential message for the IT industry. Above all, the technology in the field of security changes the fastest among the IT technologies, and its impact on our society is the greatest.
RSA encryption used for social infrastructure was invented by Rivest, Shamir, and Adleman in 1977. Thirty years have passed since the birth of modern cryptography. If one thinks of encryption as a human being, it would have just mastered how to do the job and would now begin to actively play a central role in the organization. No other technology has matured more in such a short period of time of 30 years, become more dominant throughout the world, and formed the very basis of our society than encryption technology. However, how much do we know about encryption and information security?
When we try to understand information security, I like to refer to the story of the blind men and the elephant. The story is perhaps an Indian allegory in which blind children who touched an elephant were asked to describe the elephant. The blind children gathered around the elephant in their own way and began to touch the animal. One child touched the elephant's ear-stroking it gently, the child thought, "An elephant is like a big fan." Another child touched the elephant's leg and thought, "An elephant is like a thick column." A third touched the trunk and thought, "An elephant is like a thick club." A fourth touched the belly and thought, "An elephant is like a big pot."
Their teacher asked the children, "What was an elephant like? The children began to describe what they touched. An elephant is like a big fan," one said. Another said, "No. You are wrong. An elephant is like a thick column." A third said while laughing, "You are silly. An elephant is not like a fan, nor like a column. It is like a thick, long club." A fourth said, "None of you are right. An elephant is like a big pot." The discussion of the children heated up, until it turned into an argument.
Their teacher said, "I will talk about what an elephant is like. Everything you said is right…and wrong. Each of you touched only a part of the elephant. The picture of the elephant based on a part is not correct. An elephant is like a fan, a column, a club, or like a pot. And, an elephant is more than the parts all of you described. An elephant can be understood only by seeing the whole picture."
I always feel that information security may be the same as that story. When I ask one person to define information security, the person says, "It is cryptography based on a mathematical theory." Another one says, "It is risk management or IT governance." A third one says, "Laws and standards are important." A fourth says, "A computer virus that affects society most significantly." All of them are correct, but their descriptions are not complete.
Like the teacher in the story, if I say to the people that I will talk about the concept of information security. Everything that was said is right….and wrong. What each person conceived is only part of what is known about information security. The picture of the entire body of knowledge drawn from a single part is not correct. Information security is like mathematics, like laws, like risks, or like computer programs. And, it is more than the sum of the parts as described. Information security can only be understood by seeing the whole picture."
The "elephant" we are studying inconveniently changes form every day. Researchers, engineers, and users are forced to make endless efforts to grab its substance.
This school provides the curriculum to study "elephants," that is, security in multiple ways, which is effective and efficient particularly for students entering from the work force. First, Information Security and Business Law on Information provide systematic studies of security, which is mathematical and from a management perspective, as well as related to laws. Students who work on the internal control of an organization learn the essence of risk management in Risk Management and necessary skills for the continuity of an organization, such as internal control and business continuity, in Business Continuity Management. Students who work on the system architecture, such as networks and databases, learn the concept of security implementation conforming to international standards for software and systems through IT Security Evaluation.
The curriculum also deals with the new topics of privacy impact assessment and digital forensics. Security is important in cloud computing and smart grids, and the results of teachers' studies are reflected in the lectures as feedback when deemed appropriate.
The education in this school is changing along with society. The purpose of education is to gain comprehensive knowledge. Following the words of English naturalist Charles Darwin, "It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change." As my personal creed, I will make an effort in education in this graduate school with a can-do spirit.