Integrating Case Studies into Information Security Education
Today the demand is growing for information security experts capable of analyzing problems and making decisions in business situations that involve risk or uncertainty. These skills can be acquired through systematic studying of various information security incidents. In this paper we propose a framework of methods, tools and taxonomies for analysis of case studies in information security field. Our framework allows to study every situation in a formal rather than ad-hoc way, and apply a wide range of threat modeling, risk analysis and project management techniques under lifelike conditions. We illustrate it by providing two case studies based on real situations: a conflict between a free email service provider and a commercial bank, and an attack on a famous security company by a powerful hacktivist group . The first situation is related the risks of using cloud services, while the second highlights the importance of applying secure code principles for in-house software development. Although the cases are seemingly different, we demonstrate that they can be analyzed with similar tools.