Análise de segurança de sistemas de negociação

Padrões de segurança.

Navegação hierárquica.

Padrões para gerenciamento de segurança da informação.

Para avaliar efetivamente as necessidades de segurança de uma organização e para avaliar e escolher vários produtos e políticas de segurança, o gerente responsável pela segurança precisa de uma maneira sistemática de definir os requisitos de segurança e caracterizar as abordagens para satisfazer esses requisitos. Esse processo é bastante difícil em um ambiente centralizado de processamento de dados; com o uso de redes locais e de área ampla (LANs e WANs, respectivamente), os problemas são compostos.

Os desafios para a gestão no fornecimento de segurança da informação são formidáveis. Mesmo para organizações relativamente pequenas, os recursos do sistema de informações são substanciais, incluindo bancos de dados e arquivos relacionados ao pessoal, operação da empresa, assuntos financeiros, e assim por diante. Normalmente, o ambiente do sistema de informação é complexo, incluindo uma variedade de sistemas de armazenamento, servidores, estações de trabalho, redes locais e Internet e outras conexões de rede remota. Os gerentes enfrentam uma série de ameaças sempre crescendo em sofisticação e escopo. E a variedade de conseqüências para falhas de segurança, tanto para a empresa quanto para gerentes individuais, é substancial, incluindo perda financeira, responsabilidade civil e até mesmo responsabilidade criminal.

Os padrões para fornecer segurança do sistema de informação tornam-se essenciais em tais circunstâncias. Os padrões podem definir o escopo das funções e recursos de segurança necessários, políticas de gerenciamento de informações e recursos humanos, critérios para avaliar a eficácia das medidas de segurança, técnicas de avaliação contínua da segurança e para o acompanhamento contínuo das violações de segurança e procedimentos para lidar com a segurança falhas.

A Figura 1, baseada em [1], sugere os elementos que, de forma integrada, constituem uma abordagem efetiva do gerenciamento de segurança da informação. O foco desta abordagem é sobre dois aspectos distintos do fornecimento de segurança da informação: processo e produtos. A segurança do processo aborda a segurança da informação do ponto de vista das políticas, procedimentos e controles de gerenciamento. A segurança do produto se concentra em aspectos técnicos e está preocupada com o uso de produtos certificados no ambiente de TI sempre que possível. Na Figura 1, o termo padrões técnicos refere-se a especificações que se referem a aspectos como segurança de rede de TI, assinaturas digitais, controle de acesso, não recuperação, gerenciamento de chaves e funções de hash. Os procedimentos operacionais, de gestão e técnicos abrangem políticas e práticas definidas e aplicadas pelo gerenciamento. Exemplos incluem políticas de triagem de pessoal, diretrizes para classificação de informações e procedimentos para atribuição de IDs de usuários. As auditorias, certificação e acreditação do sistema de gerenciamento abordam políticas e procedimentos de gerenciamento para auditoria e certificação de produtos de segurança da informação.

Os códigos de prática referem-se a padrões políticos específicos que definem as funções e responsabilidades de vários funcionários na manutenção da segurança da informação. A Assurance lida com testes e avaliação de produtos e sistemas. Os emitentes culturais, éticos, sociais e legais referem-se a aspectos de fatores humanos relacionados à segurança da informação.

Figura 1: Elementos de gerenciamento da segurança da informação.

Muitos padrões e documentos de orientação foram desenvolvidos nos últimos anos para ajudar a administrar a área de segurança da informação. Os dois mais importantes são o ISO 17799, que trata principalmente da segurança do processo e dos Critérios Comuns, que trata principalmente da segurança do produto. Este artigo analisa esses dois padrões e examina também outras normas e diretrizes importantes.

Um padrão cada vez mais popular para escrever e implementar políticas de segurança é o ISO 17799 "Código de Prática para a Gestão da Segurança da Informação". (O ISO 17799 eventualmente será reeditado como ISO 27002 na nova família de padrões de segurança ISO 27000). O ISO 17799 é um conjunto abrangente de controles que compreende melhores práticas em segurança da informação. É essencialmente um padrão genérico de segurança de informação internacionalmente reconhecido. A Tabela 1 resume a área abrangida por este padrão e indica os objetivos para cada área.

Tabela 1: Áreas e Objetivos ISO 17799.

Política de segurança.

Organização de Segurança da Informação.

Gestão de ativos.

Segurança de recursos humanos.

Segurança física e ambiental.

Gestão de Comunicações e Operações.

Controle de acesso.

Aquisição, desenvolvimento e manutenção de sistemas de informação.

Gerenciamento de Incidentes de Segurança da Informação.

Gestão de Continuidade de Negócios.

Conformidade.

Com o crescente interesse em segurança, a certificação ISO 17799, fornecida por vários órgãos credenciados, foi estabelecida como objetivo para muitas corporações, agências governamentais e outras organizações em todo o mundo. O ISO 17799 oferece uma estrutura conveniente para ajudar os escritores de políticas de segurança a estruturar suas políticas de acordo com um padrão internacional.

Grande parte do conteúdo do ISO 17799 trata de controles de segurança, que são definidos como práticas, procedimentos ou mecanismos que podem proteger contra uma ameaça, reduzir uma vulnerabilidade, limitar o efeito de um incidente indesejado, detectar incidentes indesejados e facilitar a recuperação. Alguns controles tratam da gestão de segurança, com foco em ações de gerenciamento para instituir e manter políticas de segurança. Outros controles são operacionais; eles abordam a implementação correta e o uso de políticas e padrões de segurança, garantindo consistência nas operações de segurança e corrigindo deficiências operacionais identificadas. Esses controles referem-se a mecanismos e procedimentos que são implantados principalmente por pessoas e não por sistemas.

Finalmente, existem controles técnicos; envolvem o uso correto de recursos de segurança de hardware e software em sistemas. Esses controles variam de medidas simples a complexas que funcionam juntas para proteger funções críticas, sensíveis e sensíveis de dados, informações e sistemas. Este conceito de controles corta todas as áreas listadas na Tabela 1.

Para dar uma ideia do alcance do ISO 17799, examinamos várias das áreas de segurança discutidas nesse documento. A auditoria é uma função de gerenciamento de segurança chave que é abordada em várias áreas dentro do documento. Em primeiro lugar, o ISO 17799 lista os itens de dados-chave que, quando relevante, devem ser incluídos em um registro de auditoria:

IDs de usuário Datas, horários e detalhes de eventos-chave, por exemplo, log-log e log-off Registros de tentativas de acesso ao sistema bem-sucedidas e rejeitadas Registros de dados bem-sucedidos e rejeitados e outras tentativas de acesso a recursos Alterações na configuração do sistema Uso de privilégios Uso de utilitários de sistema e aplicativos Arquivos acessados ​​e o tipo de acesso Endereços e protocolos de rede Alarmes criados pelo sistema de controle de acesso Ativação e desativação de sistemas de proteção, como sistemas antivírus e sistemas de detecção de intrusão.

Ele fornece um conjunto útil de diretrizes para a implementação de uma capacidade de auditoria:

Os requisitos de auditoria devem ser acordados pela administração apropriada. As verificações devem ser limitadas ao acesso somente leitura para software e dados. O acesso que não seja somente leitura deve ser permitido apenas para cópias isoladas de arquivos do sistema, que devem ser apagadas quando a auditoria é concluída ou proteção apropriada se houver uma obrigação de manter esses arquivos sob os requisitos de documentação de auditoria. Os recursos para realizar os cheques devem ser explicitamente identificados e disponibilizados. Os requisitos para processamento especial ou adicional devem ser identificados e acordados. Todo o acesso deve ser monitorado e logado para produzir uma trilha de referência; o uso de trilhas de referência timestamped deve ser considerado para dados críticos ou sistemas. Todos os procedimentos, requisitos e responsabilidades devem ser documentados. A (s) pessoa (s) que realizam a auditoria devem ser independentes das atividades auditadas.

Sob a área de comunicação e gerenciamento de operações, o ISO 17799 inclui gerenciamento de segurança de rede. Um aspecto dessa gestão está preocupado com controles de rede para redes de propriedade e operação da organização. O documento fornece orientação de implementação para essas redes internas. Um exemplo de um controle segue: Os procedimentos de restauração devem ser regularmente verificados e testados para garantir que eles sejam efetivos e que possam ser concluídos dentro do tempo alocado nos procedimentos operacionais para recuperação. Da mesma forma, o documento fornece orientação para controles de segurança para serviços de rede fornecidos por fornecedores externos. Um exemplo de orientação nesta área segue: A capacidade do provedor de serviços de rede para gerenciar serviços acordados de forma segura deve ser determinada e monitorada regularmente, e o direito de auditoria deve ser acordado.

Como pode ser visto, algumas especificações ISO 17700 são detalhadas e específicas, enquanto outras são bastante gerais.

Critérios comuns.

Os critérios comuns para a avaliação da segurança da tecnologia da informação (CC) são um esforço internacional conjunto de numerosas organizações nacionais de padrões e agências governamentais [3,4,5]. A participação dos EUA é do Instituto Nacional de Padrões e Tecnologia (NIST) e da Agência Nacional de Segurança NSA). CC define um conjunto de requisitos de TI de validade conhecida que podem ser usados ​​no estabelecimento de requisitos de segurança para produtos e sistemas prospectivos. O CC também define a construção do Perfil de proteção (PP) que permite que potenciais consumidores ou desenvolvedores criem conjuntos padronizados de requisitos de segurança que atendam às suas necessidades.

O objetivo da especificação CC é proporcionar maior confiança na segurança de produtos de TI como resultado de ações formais tomadas durante o processo de desenvolvimento, avaliação e operação desses produtos. Na fase de desenvolvimento, o CC define conjuntos de requisitos de TI de validade conhecida que podem ser utilizados para estabelecer os requisitos de segurança de potenciais produtos e sistemas. Em seguida, o CC detalha como um produto específico pode ser avaliado em relação a esses requisitos conhecidos, para confirmar se ele realmente os atende, com um nível de confiança apropriado. Por fim, quando em operação, o ambiente de TI em evolução pode revelar novas vulnerabilidades ou preocupações. O CC detalha um processo para responder a tais mudanças e, possivelmente, reavaliar o produto.

Após uma avaliação bem-sucedida, um produto específico pode ser listado como CC certificado ou validado pela agência nacional apropriada, como NIST ou NSA nos Estados Unidos. Essa agência publica listas de produtos avaliados, que são usados ​​pelos compradores do governo e da indústria que precisam usar esses produtos.

O CC define um conjunto comum de requisitos de segurança potenciais para uso na avaliação. O termo Target of Evaluation (TOE) refere-se à parte do produto ou sistema sujeito a avaliação. Os requisitos se dividem em duas categorias:

Requisitos funcionais: Defina o comportamento de segurança desejado. Os documentos CC estabelecem um conjunto de componentes funcionais de segurança que fornecem uma maneira padrão de expressar os requisitos funcionais de segurança para um TOE. Requisitos de garantia: a base para ganhar confiança de que as medidas de segurança reivindicadas são eficazes e implementadas corretamente. Os documentos CC estabelecem um conjunto de componentes de garantia que fornecem uma maneira padrão de expressar os requisitos de garantia para um TOE.

Tanto os requisitos funcionais como os requisitos de garantia são organizados em classes: uma classe é uma coleção de requisitos que compartilham um foco ou intenção comum. Cada uma dessas classes contém numerosas famílias. Os requisitos dentro de cada família compartilham objetivos de segurança, mas diferem em ênfase ou rigor. Por exemplo, a classe de auditoria contém seis famílias que lidam com vários aspectos da auditoria (por exemplo, geração de dados de auditoria, análise de auditoria e armazenamento de eventos de auditoria). Cada família, por sua vez, contém um ou mais componentes. Um componente descreve um conjunto específico de requisitos de segurança e é o menor conjunto selecionável de requisitos de segurança para inclusão nas estruturas definidas no CC.

Por exemplo, a classe de suporte criptográfico de requisitos funcionais inclui duas famílias: gerenciamento de chaves criptográficas e operação criptográfica. A família de gerenciamento de chaves criptográficas possui quatro componentes, que são usados ​​para especificar algoritmos de geração de chaves e tamanho da chave; método de distribuição de chaves; método de acesso de chave; e método de destruição chave. Para cada componente, um padrão pode ser referenciado para definir o requisito. Sob a família de operação criptográfica, existe um único componente, que especifica um algoritmo e tamanho de chave com base em um padrão atribuído.

Os conjuntos de componentes funcionais e de garantia podem ser agrupados em pacotes reutilizáveis, que são conhecidos por ser úteis para atingir os objetivos identificados. Um exemplo de tal pacote seria os componentes funcionais necessários para Controles de Acesso Discrecional.

O CC também define dois tipos de documentos que podem ser gerados usando os requisitos definidos pelo CC.

Perfis de proteção (PPs): defina um conjunto independente de implementação de requisitos e objetivos de segurança para uma categoria de produtos ou sistemas que atendam a necessidades de consumidores similares para segurança de TI. Um PP destina-se a ser reutilizável e a definir requisitos que são conhecidos como úteis e eficazes para atingir os objetivos identificados. O conceito de PP foi desenvolvido para apoiar a definição de padrões funcionais e como uma ajuda para a formulação de especificações de compras. O PP reflete os requisitos de segurança do usuário. Alvos de segurança (STs): Contém os objetivos de segurança de TI e os requisitos de um TOE específico e definem as medidas funcionais e de garantia oferecidas por esse TOE para atender aos requisitos estabelecidos. O ST pode reivindicar a conformidade com um ou mais PPs e constitui a base para uma avaliação. O ST é fornecido por um fornecedor ou desenvolvedor.

A Figura 2 ilustra a relação entre os requisitos, por um lado, e os perfis e alvos, por outro. Para um PP, um usuário pode selecionar muitos componentes para definir os requisitos para o produto desejado. O usuário também pode se referir a pacotes predefinidos que reúnam inúmeros requisitos comumente agrupados dentro de um documento de requisitos do produto. Da mesma forma, um fornecedor ou designer pode selecionar vários componentes e pacotes para definir um ST.

Figura 2: Organização e Construção de Requisitos de Critérios Comuns.

Como exemplo para o uso do CC, considere o cartão inteligente. O perfil de proteção para um cartão inteligente, desenvolvido pelo Smart Card Security User Group, fornece um exemplo simples de um PP. Este PP descreve os requisitos de segurança de TI para um cartão inteligente a ser usado em conexão com aplicativos sensíveis, como os sistemas de pagamento financeiro da indústria bancária. O nível de garantia para este PP é o Nível de Garantia de Avaliação (EAL) 4, que é descrito posteriormente. O PP lista ameaças que devem ser abordadas por um produto que afirma cumprir este PP. As ameaças incluem o seguinte:

Sondagem física: pode implicar a leitura de dados do TOE através de técnicas comumente empregadas em análises de falhas de Circuito Integrado (IC) e esforços de engenharia reversa de CI. Entrada inválida: a entrada inválida pode assumir a forma de operações que não estão formatadas corretamente, solicitações de informações além dos limites de registro ou tentativas de encontrar e executar comandos indocumentados. O resultado desse ataque pode ser um compromisso nas funções de segurança, geração de erros exploráveis ​​em operação ou lançamento de dados protegidos. Ligação de várias operações: um invasor pode observar múltiplos usos de recursos ou serviços e, ao vincular essas observações, deduzir informações que possam revelar dados de função de segurança.

Na sequência de uma lista de ameaças, o PP se volta para uma descrição dos objetivos de segurança, que refletem a intenção declarada de contrariar ameaças identificadas ou de cumprir com as políticas de segurança organizacionais identificadas. São listados 19 objetivos, incluindo o seguinte:

Auditoria: o sistema deve fornecer os meios de gravação de eventos selecionados relevantes para a segurança, de modo a ajudar um administrador na detecção de potenciais ataques ou a má configuração dos recursos de segurança do sistema que o deixariam suscetível ao ataque. Inserção de falhas: o sistema deve ser resistente a sondagens repetidas através da inserção de dados errados. Fuga de informações: o sistema deve fornecer os meios de controlar e limitar o vazamento de informações no sistema de modo que nenhuma informação útil seja revelada sobre as linhas de energia, terra, relógio, redefinição ou E / S.

Os requisitos de segurança são fornecidos para frustrar ameaças específicas e apoiar políticas específicas sob pressupostos específicos. O PP lista requisitos específicos em três áreas gerais: requisitos funcionais de segurança do TOE, requisitos de segurança da TOE e requisitos de segurança para o ambiente de TI. Na área de requisitos funcionais de segurança, o PP define 42 requisitos das classes disponíveis de requisitos funcionais de segurança.

Por exemplo, para a auditoria de segurança, o PP estipula o que o sistema deve auditar; quais informações devem ser registradas; quais são as regras para monitorar, operar e proteger os logs; e assim por diante. Os requisitos funcionais também estão listados nas outras classes de requisitos funcionais, com detalhes específicos para a operação do cartão inteligente.

O PP define 24 requisitos de garantia de segurança das classes disponíveis de requisitos de garantia de segurança. Esses requisitos foram escolhidos para demonstrar:

A qualidade do design e configuração do produto Que a proteção adequada é fornecida durante a concepção e implementação do produto Que o teste do fornecedor do produto atende a parâmetros específicos. Que as funções de segurança não são comprometidas durante a entrega do produto. Que as instruções do usuário, incluindo os manuais do produto relativos à instalação, manutenção e uso, são de uma qualidade e adequação especificadas.

O PP também lista requisitos de segurança do ambiente de TI. Eles abordam os seguintes tópicos:

Distribuição de chaves criptográficas Destruição de chaves criptográficas Funções de segurança.

A seção final do PP (excluindo apêndices) é um longo raciocínio para todas as seleções e definições no PP. O PP é um esforço desenvolvido em todo o mundo, projetado para ser realista em sua capacidade de ser atendido por uma variedade de produtos com uma variedade de mecanismos internos e abordagens de implementação.

O conceito de garantia de avaliação é difícil de definir. Além disso, o grau de garantia exigido varia de um contexto e de uma função para outra. Para estruturar a necessidade de garantia, o CC define uma escala para garantia de rating consistindo em sete EALs que variam de menor rigor e alcance para evidência de garantia (EAL 1) até o máximo (EAL 7). Os níveis são os seguintes:

EAL 1: Testado de forma funcional: para ambientes onde ameaças de segurança não são consideradas graves. Envolve testes de produtos independentes sem entrada dos desenvolvedores de produtos. A intenção é fornecer um nível de confiança na operação correta. EAL 2: Testado estruturalmente: inclui uma revisão de um design de alto nível fornecido pelo desenvolvedor do produto. Além disso, o desenvolvedor deve realizar uma análise de vulnerabilidade para falhas bem conhecidas. A intenção é fornecer um nível baixo a moderado de segurança assegurada de forma independente. EAL 3: Metodicamente testado e verificado: requer foco nas características de segurança, incluindo requisitos que o design separe os componentes relacionados à segurança daqueles que não são; que o design especifica como a segurança é aplicada; e esse teste baseia-se na interface e no design de alto nível, em vez de um teste de caixa preta baseado apenas na interface. É aplicável onde o requisito é para um nível moderado de segurança assegurada de forma independente, com uma investigação minuciosa do TOE e seu desenvolvimento, sem incorrer em substanciais custos de reengenharia. EAL 4: Metodicamente projetado, testado e revisado: requer uma especificação de projeto de baixo nível e alto nível; exige que a especificação da interface seja completa; requer um modelo abstrato que defina explicitamente a segurança do produto; e requer uma análise de vulnerabilidade independente. É aplicável nas circunstâncias em que os desenvolvedores ou usuários exigem um nível moderado a alto de segurança assegurada de forma independente em TOE convencionais, e existe vontade de incorrer em alguns custos adicionais de engenharia específicos de segurança. EAL 5: projetado e testado de forma semiformal: fornece uma análise que inclui toda a implementação. Assurance é complementado por um modelo formal e uma apresentação semiformal da especificação funcional e design de alto nível e uma demonstração semiformal de correspondência. A busca de vulnerabilidades deve garantir a resistência aos invasores de penetração com um potencial de ataque moderado. Análise de canais secretos e design modular também são necessários. EAL 6: Projeto e teste verificados de forma semiformal: permite que um desenvolvedor obtenha alta garantia de aplicação de técnicas de engenharia de segurança especializadas em um ambiente de desenvolvimento rigoroso e produza um TOE premium para proteção de ativos de alto valor contra riscos significativos. A busca independente de vulnerabilidades deve garantir resistência aos invasores de penetração com um alto potencial de ataque. EAL 7: projeto verificado formalmente e testado: o modelo formal é complementado por uma apresentação formal da especificação funcional e design de alto nível, mostrando correspondência. Evidência do teste de "caixa branca" de desenvolvedores de internas e confirmação completa e independente dos resultados dos testes do desenvolvedor. A complexidade do projeto deve ser minimizada.

Os quatro primeiros níveis refletem vários níveis de prática de design comercial. Somente no mais alto desses níveis (EAL 4) existe um requisito para qualquer análise de código-fonte, e essa análise é necessária apenas para uma parte do código. Os três principais níveis fornecem orientações específicas para produtos desenvolvidos usando especialistas em segurança e abordagens de engenharia e design específico de segurança.

Instituto Nacional de Padrões e Tecnologia.

O NIST produziu um grande número de publicações de padrões de processamento de informações federais (FIPS PUBs) e publicações especiais (SPs) que são extremamente úteis para gerentes de segurança, designers e implementadores. Os seguintes são alguns dos mais importantes e gerais. FIPS PUB 200 "Requisitos mínimos de segurança para sistemas de informação e informação federais" é um padrão que especifica os requisitos mínimos de segurança em 17 áreas relacionadas à segurança no que diz respeito à proteção da confidencialidade, integridade e disponibilidade de sistemas de informação federais e as informações processadas, armazenadas , e transmitida por esses sistemas [6].

NIST SP 800-100 "Manual de segurança da informação: um guia para gerentes", fornece uma ampla visão geral dos elementos do programa de segurança da informação para ajudar os gerentes a entender como estabelecer e implementar um programa de segurança da informação [7]. Sua cobertura tópica se sobrepõe consideravelmente com o ISO 17799.

Várias outras publicações do NIST são de interesse geral. SP 800-55 "Guia de métricas de segurança para sistemas de tecnologia da informação", fornece orientações sobre como uma organização, através do uso de métricas, identifica a adequação de controles, políticas e procedimentos de segurança no local [8]. SP 800-27 "Princípios de engenharia para a segurança da tecnologia da informação (Uma base para alcançar a segurança)", apresenta uma lista de princípios de segurança ao nível do sistema a serem considerados na concepção, desenvolvimento e operação de um sistema de informação [9]. SP 800-53 "Controles de segurança recomendados para sistemas de informação federais", lista as salvaguardas ou contramedidas de gerenciamento, operação e técnicas prescritas para um sistema de informação para proteger a confidencialidade, integridade e disponibilidade do sistema e suas informações [10].

Outras Normas e Diretrizes.

Outro conjunto importante de padrões é o Controle de Objetivos de Informação e Tecnologia Relacionada (COBIT) [11], um conjunto de padrões orientados para o negócio para orientar o gerenciamento no uso de som da tecnologia da informação. Foi desenvolvido como um padrão geral para práticas de segurança e controle de tecnologia da informação e inclui um quadro geral para gerenciamento, usuários, auditoria IS e profissionais de segurança. O COBIT também possui um foco de processo e um sabor de governança; isto é, a necessidade de gerenciamento para controlar e medir TI é um ponto de foco. O COBIT foi desenvolvido sob os auspícios de uma organização profissional, a Associação de Auditoria e Controle de Sistemas de Informação (ISACA). Os documentos são bastante detalhados e fornecem uma base prática para não apenas definir os requisitos de segurança, mas também implementá-los e verificar a conformidade.

Outra excelente fonte de informação é "O Padrão de Boas Práticas para a Segurança da Informação" do Fórum de Segurança da Informação. O padrão é projetado como um auxílio para as organizações na compreensão e aplicação das melhores práticas para a segurança da informação. Como aborda a segurança de uma perspectiva comercial, o Padrão reconhece apropriadamente a interseção entre fatores organizacionais e fatores de segurança.

Além desses padrões, inúmeras orientações informais são amplamente consultadas por organizações no desenvolvimento de sua própria política de segurança. O CERT Coordination Center (cert) possui uma seção de Avaliações e Práticas de seu site com uma variedade de documentos e ajudas de treinamento relacionadas à segurança da informação para organizações. O Conselho Chefe de Diretores de Informações (cio. gov) publicou uma coleção de Melhores Práticas e outros documentos relacionados à segurança organizacional.

Referências.

[1] Eloff, J. e Eloff, M., "Information Security Management", Proceedings of SAICSIT 2003, Instituto Sul-Africano de Cientistas de Computadores e Tecnólogos de Informação, 2003.

[2] Organização Internacional de Normalização, "ISO / IEC 27001 & ndash; Tecnologia da Informação & ndash; Técnicas de Segurança & ndash; Sistemas de gerenciamento de segurança da informação e requisitos," Junho de 2005.

[3] Organizações patrocinadoras do projeto de critérios comuns, "Critérios comuns para a avaliação da segurança da tecnologia da informação, Parte 1: Introdução e modelo geral", CCIMB-2004-01-001, janeiro de 2004.

[4] Organizações patrocinadoras de projetos de critérios comuns, "Critérios comuns para avaliação de segurança de tecnologia da informação, Parte 2: Requisitos funcionais de segurança", CCIMB-2004-01-002, janeiro de 2004.

[5] Organizações patrocinadoras de projetos de critérios comuns, "Critérios comuns para avaliação de segurança de tecnologia da informação, Parte 3: Componentes de garantia de segurança", CCIMB-2006-09-003, setembro de 2006.

[6] Instituto Nacional de Padrões e Tecnologia, "Requisitos mínimos de segurança para sistemas de informação e informações federais", FIPS PUB 200, março de 2006.

[7] Instituto Nacional de Padrões e Tecnologia, "Manual de Segurança da Informação: um guia para gerentes", publicação especial NIST 800-100, outubro de 2006.

[8] "Guia de métricas de segurança para sistemas de tecnologia da informação", publicação especial NIST 800-55, julho de 2003.

[9] Instituto Nacional de Padrões e Tecnologia, "Princípios de Engenharia para a Segurança da Tecnologia da Informação (Uma Base de Referência para Alcançar a Segurança)", Publicação Especial NIST 800-27, junho de 2004.

[10] Instituto Nacional de Padrões e Tecnologia, "Controles de segurança recomendados para sistemas de informação federais", NIST Publicação Especial 800-53, fevereiro de 2005.

[11] IT Governance Institute, "COBIT 4.0.", EUA, 2005.

[12] Fórum de Segurança da Informação, "O Padrão de Boas Práticas para a Segurança da Informação", 2005.

Sistemas de informação para negociação de segurança.

Categoria: Documentos.

105 Sistemas de Informação de Pesquisa para Negociação de Segurança Kar Yan Tam Departamento de Gestão Ciência e Sistemas de Informação, Faculdade e Escola de Pós-Graduação em Negócios CBA 5.202, Universidade do Texas, Austin, Texas 78712-1175, EUA A desregulamentação dos mercados financeiros criou um ambiente volátil e competitivo para as empresas envolvidas no comércio de segurança. Para se manterem competitivas, as empresas de segurança precisam confiar mais em seus sistemas de informação (IS) para aumentar sua capacidade de resposta às condições do mercado. À medida que o valor estratégico e o custo desses sistemas aumentam, o cuidado extremo deve ser explicado no seu projeto. Neste artigo, abordam-se questões relativas ao projeto de IS para negociação de segurança. São discutidos quatro grandes problemas: (1) Segmentação do processo comercial, (2) Identificação dos objetivos comerciais, (3) Requisitos tecnológicos e (4) Apoio, planejamento e controle da administração. Palavras-chave: Instrumentos Financeiros, Objetivos de Negociação, Automação de Negociação de Segurança, Processamento de Pedidos, Investimento de Fundo, Arancela, Negociação de Programas. Kar Yah Tam é atualmente professor assistente de Sistemas de Informação na Universidade do Texas em Austin. O professor Tam possui um B. S. em Matemática e Ciência da Computação da Universidade de Illinois em Urbana, um M. S. em Ciência da Computação e um Ph. D. em Sistemas de Informação de Gerenciamento, ambos da Purdue University. O seu ensino na Universidade do Texas inclui comunicação de dados, administração de banco de dados e sistemas de suporte de decisão. Os principais interesses de pesquisa do professor Tam se concentram nas aplicações da Inteligência Artificial em finanças e fabricação. Holanda do Norte Informação & amp; Gestão 16 (1989) 105-114 1. Introdução A economia mundial experimentou uma proliferação de instrumentos financeiros durante a última década. Estes, como índices financeiros, opções, fundos mútuos, títulos garantidos por hipotecas, swaps de taxa de juros e de moeda aumentaram significativamente o número de alternativas para investir, angariar fundos, proteger os riscos e realizar atividades de arbitragem. O impacto para o setor de serviços financeiros é realmente significativo. No entanto, esta bonança financeira mostra nenhum sinal de término. Em vez disso, espera-se que produtos mais inovadores apareçam no futuro. Esses produtos provavelmente serão orientados para os investidores institucionais, já que suas participações nos mercados de segurança têm aumentado nos últimos anos. A força motriz por trás dessa bonança é principalmente a desregulamentação dos mercados financeiros em todo o mundo - O "Big Bang" na U. K. e a abertura do mercado financeiro japonês e a ampla disputa entre trocas. A desregulamentação vem alimentando a proliferação de produtos físicos ao implantar as comissões fixas cobradas pelos corretores e ao permitir que bancos e companhias de seguros participem no negócio de corretagem. Para obter o capital necessário para se adaptar a um ambiente mais competitivo, o setor se está reorganizando e isso resultou em uma série de fusões e consolidações. A proliferação de instrumentos financeiros regeu a formulação e implementação de estratégias comerciais uma tarefa laboriosa. A complexidade envolvida na seleção de qual segurança para estabelecer (ou liquidar) ultrapassou a compreensão humana porque as restrições de tempo impostas a esses processos de decisão se enquadram em fracções de um segundo, e isso é comum na arbitragem. Perdas substanciais, em termos monetários reais ou custos de oportunidade, serão incorridas se qualquer alteração no mercado não for rapidamente identificada, interpretada e atualizada. 0378-7206/89/$3.50 © 1989, Elsevier Science Publishers B. V. (North-Holland) 106 Research Information & Management In order to increase the responsiveness of their trading operations to market information, security firms have been investing heavily in computerized trading systems [6]. The trend towards security trading automation has become apparent in recent years. First, computers were installed to automate the clerical work, such as maintaining account positions and conducting the settlement process. Then computers were integrated with the com - munication network to facilitate prompt access to financial data from the market. Nowadays, pro - gram trading, portfolio insurance, and similar con - cepts could never be materialized without com - puters. A major concern shared by companies engaged in security trading is how to face the structural changes of the environment and to stay competi - tive. In particular, how do we process the tremendous amount of financial data in real time, and what is needed to achieve that? Here, we address these questions from an information sys - tem point of view. Our intent is to point out the essential attributes of an information system for security trading and to address issues pertaining to its design. 2. Segmentation of the Trading Process A Security Trading System in its broadest sense refers to an organized entity designed to carry out trading operations. In [29], Strahm has defined the term "trading systems" as: (1) A trading advisor who handles managed accounts, private pools, or public funds; (2) A portfolio of several advisors; (3) A set of trading rules (" technical trading sys - tems") using specific parameter values applied to a single market; (4) A technical trading system simultaneously trading with several distinct sets of such parameter values; (5) A technical trading system simultaneously ap - pried to a wide variety of markets; and (6) Several technical trading systems employed simultaneously. Of course, this list is not exhaustive. Nevertheless, an invariant property of these systems is that they take in information, interpret it, and respond accordingly. The entire process is carried out in real time. In some systems, such as technical trad - ing, responses to incoming information are pre - specified in the form of trading rules. In its stric - test form, a technical trading system does not involve any human intervention. It sells and buys secutities according to the signals generated by the underlying trading rules, which are in turn speci - fied by a set of parameters such as high/low prices and transaction volumes [see references 14, 15, 32]. However, most trading systems have a significant degree of trader participation. The generic structure of a trading system and its inter - actions with the market(s) is shown in Fig. 1. It depicts the flow of information and its transfor - mation during the entire process. The trading pro - cess is divided into three functional segments: (1) information gathering, (2) formulation/analysis, and (3) strategy implementation. In a typical trad - ing system, information is constantly generated from the market(s) and channeled to the trading system. The form of information collected from the market is rudimentary. It can be ask-bid prices from the exchanges, latest reports of the economy, news about incidents happening world-wide, and corporate earning reports to name a few. The volume of information is tremendous therefore a certain degree of preprocessing is required to con - dense the incoming information to a manageable size. Two types of preprocessing take place during the information gathering stage: filtering and up - dating. Filtragem. Not all information is relevant in a particular instance. That which is irrelevant with respect to the current trading strategy need not be retained. This avoids overburdening the trader with useless information. For example, a trader working on a foreign exchange hedge strategy may be interested in the spot rate and the 3-month future rate of yen and dollar only. All other infor - mation would be irrelevant at this time. Updating. Some data have to be updated to re - flect the actual situation in the market. Among these, ask-bid prices are the most important; they need to be updated whenever a new transaction has taken place. Traders are usually interested in the trend of movements in transaction volume and security prices. Thus, logs of these data are im - portant in making decisions. Unlike some of the information that can be filtered out, information Information & Management I.

Y. Tam / Information Systems for Security" Trading 107 Trading Sgstem news quote.

f inan , , =, data prices s ial update / / T.

retrieve @ f i ltered Information data : Strateg V Trading | St ra tegL j Gathering Formulation & Strategies lm.

lementation Analgsis actual prices selling/buging orders Fig. 1. Segmentation of the Trading Process. pertaining to these data has to be retained for further use. In essence, the output of the first stage is an updated description of the market(s) and the posi - tion of the firm. The outputs may be different in different trading systems because of discrepancies between the ways these two preprocessing func - tions operate. This partially explains why two trading systems will behave differently in the same market situation. The difference in trading behav - ior can also be explained by the various trading objectives with which trading systems are associ - ated. Once an updated description of the market is obtained, the next step is to formulate trading strategies. They are then analyzed. The complexity of these analyses varies significantly and is depen - dent on the system objective. No matter how complicated a trading strategy is, it can always be reduced to answering the question "When should we establish/liquidate a position of a security?" The answer is, to a large extent, dependent on the following factors: Actual ask/bid price; Request ask/bid price; Size of each contract; Maturity date (if any); Margin requirement; Transaction cost; Estimated risk; Estimated return; Forecasted supply/demand; and Tax requirement. Added to these factors are the relationships between different yet closely bound instruments, such as between the price of a stock option and of the underlying stock. As shown in the list, the formulation/analysis stage is knowledge-inten - sive. It draws on information from sources in different domains. Hence, it usually takes a rela - tively large amount of time to arrive at a trading decision. Instead of trading a single security, an investment strategy usually includes the trading of a basket of securities. Large-scale mathematical programming is commonly used to decide the weights to be invested in an individual security. Some of these optimization techniques have proved to be extremely time-consuming (NP-hard), and the variables (e. g., expected yield and risk) that are input to these optimization programs in turn have to be estimated before by using statistical routines. These tasks take up a large amount of time, making the analysis stage the bottleneck of the entire process. Any means that can speed up these tasks will definitely improve the position of the company with respect to its peers. A trading system capable of interpreting and responding more quickly than others will definitely gain a comparative ad - vantage. Recently, attempts have been made to 108 Research Information & Management automate a subset of the analysis process by using advanced techniques of artificial intelligence and expert systems [22]. Once the trader has decided which securities to establish (or liquidate) and at what prices, the corresponding trading strategy is then imple - mented. This involves the actual buying and sell - ing of securities in the market. In order to avoid opening the trader's position to potential losses, the trader must compare actual quoted prices with the calculated prices before committing to a strategy. It is very likely that the prices on which the formulation was based will have by then changed. The implementation must be achieved in such a way that the strategy is either totally completed or aborted. A half-way completed strategy would have unknown and probably disastrous results. There are two complications here. First, a strategy might consist of securities that are traded in dif - ferent geographically located markets in different time zones; a number of securities have spot and future markets located in different parts of the world. Second, a strategy might require the simul - taneous trading of a number of securites; this is very common in arbitrage and hedging strategies. Trading strategies are manually implemented by a group of traders. The entire strategy is prop - erly divided and synchronized among the par - ticipants. A trading group might be organized internally, in the same dealing room, or across phone lines. Communication and control during the actual buying and selling are made possible by shouting or across phone lines. In general, the objective of this stage is to check the requirements of the formulated strategies against the actual market conditions, making sure that no half-way completed trading strategy is executed. Some ex - changes provide on-line buying and selling sys - tems that will reduce the risk exposure during the implementation of a trading strategy. For exam - ple, the New York Stock Exchange (NYSE) oper - ates a Designated Order Turnaround System (DOT) which allows its members to place selling and buying orders of a large basket of securities at the same time. 3. Objectives of Trading Systems What make a trading system unique is its ob - jective. Trading systems can be categorized according to three different objectives: order processing, arbitrage, and fund investment. Be - cause different objectives impose different func - tional requirements on the information systems, an understanding of these three is essential. Order Processing Systems Order processing systems are the most basic forms. In fact, to process orders is the primary functions served by a brokerage house before all others. Its objective is to carry out buying and selling orders for its customers. These systems are profit centers because the major portion of reve - nue is generated from commissions charged for each transaction. Arbitrage Systems The objective of an arbitrage system is to detect arbitrage opportunities that lead to risk-free prof - its. The many ways of carrying out arbitrage activ - ities are usually coded as mathematical expres - sions with prices as the determining variables. Any significant deviation from the equilibrium position as reflected by these expressions will trigger the execution of an arbitrage strategy to capitalize the profit. For example, a simplified arbitrage strategy based on the interest rate parity relationship is stated as the following decision rules: if Ay + (1 + rd) t < R0(1 + r/)t /R, then at time 0, 1. borrow from the domestic bond market and invest in the foreign bond market yielding at r/, and simultaneously 2. purchase a future contract on domestic cur - rency at R, if (1 + rd) t > Ay + R0(1 + r/)Z/Rt then at time 0, 1. borrow from the foreign bond market and invest in the domestic bond market yielding rd, and simultaneously 2. sell a future contract on domestic currency at Rt where, r d = current yield of the domestic bond market rf = current yield of the foreign bond market R 0 = spot exchange rate of the two currencies R, = exchange rate of the two currencies at time t, t > 0 A y = threshold yield of the strategy, A y > 0 Information & Management K. E Tam / Information Systems for Security Trading 109 Relatively less computation is required to evaluate these expressions, yet the speed with which prices are reported and buying signals are delivered directly determine the efficacy of an arbitrage system. Program Trading systems are notable examples of arbitrage systems; they have stirred consider - able controversy recently. An arbitrage strategy is coded as a computer program in program trading. The computers watches closely the spot prices of those stocks that make up a stock index (such as S&P 500), and compares them with the future stock index (S&P 500 Future Index). Any signifi - cant difference between the two implies a risk-free yield. Selling and buying are then generated auto - matically to capitalize the profit. The risk-free property of arbitrage activities makes it possible to delegate a significant portion of the job to the computer. However, most trading transactions are generated by investment activities with risk as the major factor in decision making. Fund Investment Systems The number of funds, especially mutual funds, has increased significantly in recent years. Under the risk/yield framework of investment theory [20], the objective of a fund investment system is to attain the maximum yield of a fund given a certain degree of risk. Instead of detecting devia - tions in prices as in the case of arbitrage, a com - plete investment strategy requires assessing the risk exposure of each strategy and its expected return. Large scale optimization techniques pro - vide part of the solution. However, some of the parameters, such as political and social incidents which have significant impacts on the decisions, cannot be easily quantified. They are instead sub - ject to human valuations, which are based on experience, intuition, and belief. 4. Mapping Trading Objectives with System Func - tions Sometimes, trading systems serve more than one objective during operation. For instance, in foreign exchange dealing, orders and arbitrages are usually processed concurrently. Failing to sep - arate these three objectives might lead to poor mapping between system functions and their in - tended purposes. For order processing systems, security prices and customers orders are the primary input. Each order received is checked against the current posi - tion of the customer and the margin requirement (if appropriate) associated with the security. A commission is calculated and the order is then sent to the market. The input prices are used to update the positions of their customers. In cases where brokerage houses offer financial services to their customers, it is essential to keep track of the status of each customer. If the current prices indicate additional funds are required to cover a losses in an account, signals are then generated to alert the trader to inform the customer. This is especially important for highly leveraged securi - ties, such as future commodities with low margin requirements [26]. Selling and buying orders are not necessarily implemented on-line or in chronological sequence. The sequence depends on the priority set by the system. Order processing IS are supportive in na - ture; they support the trading operation by moni - toring the status of each account in response to market conditions. Overall, the design of an order processing system is basically that of an account - ing IS with some extended computational facilities [7,11,17]. Thus, guidelines similar to that for an accounting IS can be followed. The main task of an arbitrage system is to detect any price fluctuations that lead to lock-in profit. Time is critical. A fast computation unit is required to assess the arbitrage relationship in real time. The amount of data involved is relatively small, mainly quoted prices; yet that information has to be retrieved very quickly. This imposes constraints on the design of the retrieval system which would favor certain data modeling schema and file structures over others. For example, it might suggest a traditional file system over a relational DBMS simply because the former is more efficient. Because of the repetitive nature of the task, information can even be hardwired in the system. This gives the fastest arbitrage system possible. To this end, arbitrage systems are actu - ally real-time processing systems. Unlike arbitrage, fund investment includes risk, a factor which must be considered in analyzing fund investment strategies. The design of IS that support fund management, therefore should in - 110 Research Information & Management clude facilities that support the assessment of risks. A number of pricing models have been developed to assist traders in understanding the relationship between return and risk of an investment portfolio. The Capital Asset Pricing Model (CAPM) devel - oped by Sharpe [27], Lintner [18], and Mossin [19] has been widely used for the last two decades. A more general model based on the Arbitrage Pric - ing Theory (APT) proposed by Ross [23,24] has been gaining popularity in recent years. Both of these models relate the return of a security to the systematic risk associated with the security. They differ in the number of factors to which the sys - tematic risk is related. In CAPM, the systematic risk is related to the market portfolio, whereas in AFT it can be related to more than one economic factor. The parameters of these pricing models require a large amount of data to estimate. To support this, a database is essential to store the historic data for estimation purposes. Instead of adopting a quantitative approach in risk assessment, traders may employ a qualitative approach. In this approach, the risk associated with a fund depends on a set of attributes that are defined by a trader (or a group of traders). These attributes and their values represent the trader's perception and decision model of the market situation, thus explaining why different traders will respond differently to an identical market situation. The determination of an attribute value may simply be based on previous experience or it might require the solution of a huge combinatorial problem (determining the weights of stocks com - prising a fund). Usually, a fund investment strategy is the end-product of a combination of empirical and qualitative analyses. To facilitate these analyses, we need: 1. A model management system to store the analytical models. This is a piece of software that supports the definition, management, integration, and execution of models. Numerous model management schema have been proposed, ranging from first order logic predicate [4], CODASYL DBTG [16,28], relations [2,3], and structural mod - elling [10]. They differ in the ways models are represented at the logical level. The actual imple - mentation of models are opaque to the users. By providing a logical view of models independent of their physical storage structures and processing procedures, traders are able to call upon the vari - ous portfolio selection and asset pricing models stored in the model base in a declarative manner. In other words, the traders only have to specify Plodeibase Captial Asset Pricing Model Selection Hodel Market Risk Hedel investment Portfolio Data of Financial Securities Price Movement Log Risk of each Database Interface Fig. 2. Integration of Models and Data in Strategy Formulation. Informação & amp; Management K. Y. Tam / Information Systems for Security Trading 111 what they want without bothering with how the calculation is performed. 2. A database storing information on the fund. It serves two main purposes. First, it provides a static view of the fund at any particular point in time. Second, it stores the historic data pertaining to the fund. These data include price and volume movements of securities, economic indexes, P /E ratios, etc. Some are used to estimate the model parameters while others may be used for report generation. 3. An interface blending the database and the model management system to support integrated problem solving, queries, and report generation. For instances, in building an investment portfolio, a trader might want to use Markowitz's model to determine the weight of each comprising security. The input of the Markowitz's model are the ex - pected risk and expected yield of each security. In order to obtain the input, the trader may want to use another model, say the Capital Asset Pricing Model, to estimate the expected yield of each security. For the expected risk, the trader may simply calculate the variance in price movement during the past six months. For the Capital Asset Pricing model, the trader has to decide on the market portfolio in order to determine the market risk. To do this, it may be necessary to browse through the database to select the securities for the market portfolio. The data flow diagram for this example is illustrated in Fig. 2. Other traders might employ totally different strategies, requiring different models and data. As illustrated by this example, the process of strategy formulation and analysis requires integrated resources from the database, the model management system, and the trader. An interface that integrates all three com - ponents as a synergy is essential to provide fast answers to what-if questions. 5. Technology Requirements Several recent technologies and their applica - tions to security trading are now discussed. Communications A fast communication network forms the core of any trading system. Furthermore, the trend toward twenty-four hour global trading necessi - tates a global network that connects offices in different geographical regions. This was made pos - sible by the advent of data communication tech - nologies, such as Integrated Services Digital Net - work (ISDN) and optical fibre. They have drasti - cally increased the capacity of communication lines, allowing more data to be transmitted at a higher speed, and eventually at a lower cost. In terms of data presentation, the information vendor is shifting from video to digital feeds. This allows in-house processing of data that can be presented in any format required by the traders. The number of connecting switches can be reduced signifi - cantly by using digital feeds, making it possible to expand the dealing room with much less wiring. The use of optical fibers will significantly increase the bandwidth and the accuracy of digital trans - mission. Since optical fibers are smaller and easier to install, they require much less space. This can also reduce the cost of setting up a dealing oper - ation, because dealing rooms are usually located in financial districts where the rental cost is very high. Data Security Since financial data, as well as buying/sell ing orders, are delivered through this network, they are vulnerable to flaws, both intentional and unin - tentional. Information has to be properly en - crypted and physically protected from outsiders. An internal security policy, specifying the access - right hierarchy and the operational procedures, has to be determined in collaboration with top management. This policy should provide a secure environment that covers all components, both hardware and software, and human users engaged in the trading operation [25]. The granularity of the security measures may range from the logical record locking mechanism of a database manage - ment system [33] up to the physical locking of a tape library. For internal control purposes, accesses to customer accounts and classified data must be placed on a log and audited periodically [9] to ensure compliance with security procedures. Expert Systems There is an emerging role of expert systems in the domain of security trading. In fact, a number 112 Research Information & Management of brokerage houses and banks are developing expert systems to facilitate their trading activities. An expert system is a piece of software that repli - cates the reasoning processes of human experts [12]. In most such systems, reasoning knowledge is organized as a set of production rules with each relating a set of conditions to some actions or decisions [5,13]. Expert systems are applicable to all phases of the trading process. First, they can help to screen out irrelevant information flowing into the trading system. Second, they can assume part of the analyst's job. Third, they can coordi - nate and synchronize the buying and selling orders of a trading strategy, making sure that it is totally completed or else aborted. Wisely used, expert systems can reduce the time of the entire trading process, making it possible to respond more rapidly to incoming market information. Fault-Tolerant Computers Fault-tolerance should be an essential property of the underlying hardware to make sure that computing resources are available when needed. Halting the trading operation is an expensive al - ternative. Safety is made possible by duplicating the hardware components and adding fault detec - tion and recovery circuits to conventional com - puter architecture. An alternative is a backup computer, together with a set of backup proce - dures that specify the actions to be taken when the master computer fails. 6. Management Issues The capital investment in an information sys - tem, including software, hardware, maintenance, and administration is huge. Therefore, support and understanding of top management is of prime importance in launching a project. The following is a set of typical management concerns: Support of Top Management Objective Each trading system has its own objective. This, whether order processing, arbitrage or fund invest - ment, should be set forth by top management and must be clearly defined beforehand. This is im - portant because the objective can be articulated into the functions of the system, which in turn identify the factors related to its design. The func - tions performed by an arbitrage system might be very different from that by a fund investment system, with each implying a totally different capacity planning and budgeting strategy. Systems with different objectives should be based on dif - ferent sets of cost and benefit. In the case of an arbitrage system, the cost and benefits of the system can be correlated with the amortized ex - penses and the monetary return of the system over a period of time. However, the same criteria would not be applicable to a fund investment system, where return of fund depends on factors which are exogenous to the system. Environmental Factors Environmental factors are those exogenous to a company, such as government regulations/ deregulations, market developments, international political situations, and technological innovations. Becasue of the rapid changing environment, judg - ing from the average life time of a dealing room, the life span of a trading system is only two to three years. Therefore, in developing a trading operation, management should strive to forecast these factors and integrate the findings with the objective of the system. A carefully planned sys - tem with a provision to "expect the unexpected" is essential to keep the company at the competitive edge. To achieve this, top management should regularly interact with MIS personnel, making sure that the system is well designed to cope with environmental change. Market Integration Most trading operations of securities firms are segmented into markets. Operations are managed individually as loosely connected subdivisions. This segmentation of trading operations into dif - ferent markets makes it difficult to implement strategies that span different markets in a timely fashion. Hedging strategies, for example, usually involve two or more markets. To facilitate cross - market trading [1,8], information systems of dif - ferent trading operations should be function as a single system in implementing cross-market trad - ing strategies. Informação & amp; Management K. lq Tam / Information Systems for Security Trading 113 Responsibility for Computer-Generated Decisions A trading decision today is not just the end product of a mental process but is an interactive process between a trader and the decision support aids. This semi-automatic decision making process renders it very difficult to define the responsibility of traders. Nevertheless, management should pro - vide guidelines that define the scope of responsi - bifity and the role of a trader engaged in the process. But, computers cannot be held responsibility for their decisions, therefore top management has to decide what kinds of decisions can be made by the computer and who should be responsible for them. In a real-time arbitrage system, selling and buying signals are generated by computers once arbitrage opportunities are detected. Should these signals be automatically sent to the market or should they just alert the traders who are the final decision makers? An arbitrage opportunity might last only for fractions of a second. Any delay will probably impair the possibility of making a risk-free profit. In this case, top management has to compromise between the time gained in a fully automatic trading system and the likelihood of a computer generated error. 7. Concluding Remarks The recent price volatility on the exchanges in New York and Chicago are attributed to com - puter monitored arbitrage activities, commonly known as Program Trading. It is an arbitrage strategy that uses computer to keep track of the deviation between a stock index future and the spot prices of the composing stocks. Any signifi - cant difference between the two results in a risk free yield. Selling and buying signals are then generated to capitalize the profit. Perceptions of automated security trading are mixed. Public reactions to Program Trading il - lustrates some of these views. Practitioners in the securities industry have voiced their concerns, and the positions they take depend on the size and the financial capacity of their firms. Critics of Pro - gram Trading blame it for the unnecessary volatil - ity of the market. Prices of stocks, at least in the short run, no longer reflect the underlying value and the earning power of the firm. Critics argue that the fundamental purpose of stock trading, which is capital formation, is distorted in the hands of Program Trading. Furthermore, funds from other markets (e. g., bond markets) are likely to be attracted and channeled into the stock market in the hope of arbitrage opportunities. This ad - versely affects the captial formation process of other markets, thus causing the cost of capital to rise and prices to become unpredictable in those markets. On the other hand, some big brokerage firms are positive towards Program Trading. Their argu - ments are based on increase in markets efficiency caused by Program Trading, and they claim that price volatility is merely an adjustment of the market to incoming information. Whether com - puters are used or not, the market will still adjust to this information. The only difference is that electronic speeds make it possible to shorten the entire process to seconds. From an economical point of view, any arbitrage opportunity will be quickly detected and eliminated by the market. The increase in responsiveness to incoming infor - mation, as reflected by the rapid changes in price, is the property of a more efficient market. Regardless of options, the trend to automation in security trading is underway, and its impact on the financial markets is definitely high. Since the first step in automation has already had a subtle impact on the security market, one would expect structural change to occur in the entire security industry in the months and years ahead. Small brokerage firms are likely to be taken over or go out of business, because of their lack of capital to invest in developing new trading systems. Compa - nies in the brokerage business have to rely more than ever on their computers to increase their responsiveness. The automated information sys - tem is becoming the nucleus of the entire trading operation. As pointed out by McFarlan and McKenney [21], the strategic value of information systems in the financial service industry is increas - ing as more profitable financial products are di - rectly supported by these systems, as illustrated by the increasing budget allocated for technological development in many large banks. According to recent studies [30,31], seven U. S. banks spent more than $200 millions per year in technology, with Citicorp topping the group by investing $850-900 millions annually in developing technologies to increase its competitiveness. 114 Research Information & Management An information system plays a strategic role in a financial company, any flaws in the final system because of an improper design are intolerable and a failure of a strategic nature. Extreme care must be exercised in planning and design. The four major issues, (1) Segmentation of the trading pro - cess, (2) Identification of trading objectives, (3) Technological requirements, and (4) Management support, planning and control, attempt to identify the essential attributes and to offer design guide - lines in building these systems. References [1] Anderson, R. and Danthine, J., Cross Hedging, Journal of Political Economy 89 (6) 1981. [2] Blanning, R. W., A Relational Framework. for Model management in Decision Support Systems, Transactions of International Conference on Decision Support Systems, DSS-82, 1982. [3] Blanning, R. W., A Relational Framework for Model Bank Organization, Proceedings of the IEEE Workshop on Lan - guages for Automation, November, 1984. [4] Bonczek, R. H., Holsapple, C. W., and Whinston, A. B., The Evolving Roles of Models in Decision Support Sys - tems, Decision Sciences 11 (2) 1980. [5] Davis, R., Buchanan, B. G. and Shortliffe, E. H. Produc - tion Rules as a Representation for a knowledge-based Consultation Program, Artificial Intelligence 8 (1) 1977. [6] Duffy, F., Dealing Rooms, The Banker, September 1986. [7] Everest, G. C. and Weber, R., A Relational Approach to Accounting Models, Accounting Review 52 (2) 1977. [8] Figlewski, S., Hedging with Stock Index Futures: Theory and Application in a New Market, Journal of Future Markets 5 (2) 1985. [9] Florentin, J. J., Consistency Auditing of Databases, The Computer Journal 17 (2) 1974. [10] Geoffrion, A. M., Structured Modelling, Working Mono - graph, Western Management Science Institute, UCLA 1985. [11] Haseman, W. D. and Whinston, A. B., Design of a multidi - mensional Accounting System, Accounting Review 51 (1) 1976 [12] Holsapple, C. W. and Whinston, A. B., Manager Guide to Expert Systems using Guru, Dow-Jones Irwin: Illinois, 1986. [13] Holsapple, C. W., Tam, K. Y., Whinston, A. B., Inductive Approaches to Acquire Trading Rules, Proceeding of the First Conference on Expert Systems in Business and Fi - nance, New York, New York, November 1987. [14] Kaufman, P. J., Commodity Trading Systems and Methods, Wiley: New York, 1978. [15] Kaufman, P. J., Technical Analysis in Com modities, Wiley: New York, 1980. [16] Konsynski, B. R., On the Structure of a Generalized Model Management System, Proceedings of the Fourteenth Hawaii International Conference on System Sciences Vol. 1., 1980. [17] Lieberman, A. Z. and Whinston, A. B., A Structuring of an Event-accounting Information Systems, Accounting Re - view 50 (2) 1975, [18] Lintnet, J., The Valuation of Risk Assets and the selection of Risky Investments in Stock Portfolios and Captial Budgets, Review of Economics and Statistics 47 (1) 1965. [19] Mossin, J., Equilibrium in a Captial Asset Market, Econometrica 24 (4) 1966. [20] Markowitz, H. M., Portfolio Selection, Journal of Finance 7 (1) 1952. [21] McFarlan, F. W. and McKenney, J. L., Corporate Informa - tion Systems Management." The issue Facing Senior Execu - tives, Dow Jones Irwin: Illinois 1983. [22] Reid, I., Artificial Intelligence in the Market, The Banker June 1986. [23] Ross, S. A., The Arbitrage Theory of Capital Asset Pricing, Journal of Economic Theory 13 (3) 1976. [24] Ross, S. A., Return, Risk, and Arbitrage in Risk and Return in Finance I (Friend, I. and Bicksler, J. L. eds.), Ballinger: Mass 1977. [25] Saltzer, J. H. and Schroeder, M. D., The Protection of Information in Computer Sys tems, Proceeding of IEEE 63 (9) 1975. [26] Schwager, J. D., A Complete Guide to the Future Markets, Wiley: New York 1984. [27] Sharpe, W., Capital Asset Prices: A Theory of Market Equilibrium Under Conditions of Risk, Journal of Fi - nance 19 (3) 1964. [28] Stohr, E. A. and Tanniru, M., A Database for Operations Research Models, International Journal of Policy Analysis and Information Systems 4 (1) 1980. [29] Strahm, D. N., Preference Space Evaluation of Trading System Performance, The Journal of Future Markets 3 (3) 1983. [30] McKinsey & Co., System Technology and the US. Com - mercial Banking Industry, New York and Chicago 1987. [31] Salomon Brothers Stock Research, Technology' and Bank - ing: The Implication of Strategic Expenditures, New York 1987. [32] Wilder, J. W., New Concept of Technical Trading Systems, NC: Trend Research 1978. [33] Wood, C., Summers, R. C., and Fernandez, E. B., Authori - zation in Multilevel Database Models, Information Sys - tems 4 (2) 1979.

105 Research Information Systems for Security Trading Kar Yan Tam Department of Management Science and Information Systems, College and Graduate School of Business CBA 5.202,…

Information Systems Security Information Security for Web - based Applications.

Slide 1 Information Systems Security Information Security for Web - based Applications Slide 2 The full picture Slide 3 Securing web sites Reduce the attack surface of the…

Information Systems Security Operational Control for Information Security.

Incident Reporting Systems for information security.

Slide 1 Incident Reporting Systems for information security Slide 2 Summary Incident reporting is (probably) important (everybody else does it) seemingly not very widespread…

IS Controls for Systems Reliability - Information Security.

1. HAPTER 7 Information Systems Controls for Systems Reliability Part 1:Information Security 2. INTRODUCTION Questions to be addressed in this chapter: How does security…

Bachelor Of Science For Information Security Systems.

1. ANA IZQUIERDO 1601 ALTON STaizquierdo@colorado. aaaAPT 1AURORA, CO 80010-1730303-669-9493Summary Of QualificationsPerformed as a Tier I Technician and Webmaster for…

Security Enhanced Applications for Information Systems.

Implications of Emissions Trading Scheme for Information Systems.

Implications of Emissions Trading Scheme for Information Systems.

Information Systems Controls for System Reliability - Information Security-

Information Systems Security for the Special Educator MGMT 636 – Information Systems Security.

Information Systems Security.

Assignment - Triple 3DES.

Information Security Systems.

1. ISS 2. Overview • MySQL Misconfigurations • DoS Attack • DDoS Attack • Sessions Hijacking • Sessions Management 3. MySQL RDBMS • The world's second most…

Information Systems Security Manag.

1. Information Systems Security Management Professional - Wikipedia, the free encyclopedia Page 1 of 1 Information Systems Security Management Professional From Wikipedia,…

Information Systems Security Manag.

Information Systems Security.

Information Systems Security. Linux Introduction Supplemental Notes. Command Line Interfaces. Virtual Terminals CTL-ALT-F# Consoles 1-6 are command line interfaces Console…

Information Systems Security.

Information Systems Security. Applications Development Domain #8. Objetivos. Software Flaws OSI Model Database Concepts Software Lifecycle Change Control OOP Expert Systems.…

Information Systems Security.

Information Systems Security. PhD. Lê Nhật Duy. Conteúdo. Reference books Subject introduction Examination Rules. Livros. Emmett Dulaney , CompTIA Security+ Deluxe Study…

Information Systems Security Officer.

Information Systems Security Officer. CS 996: Information Security Management Pavel Margolin 4/20/05. Visão geral. Who is an ISSO? Duties and Responsibilities Planning Establishing…

Information Systems Security.

Information Systems Security. Telecommunications Domain #7. OSI Reference Model. Physical Datalink Network Transport Session Presentation Application. Routing. Dynamic RIP…

Information Systems Security 3.

Information Systems Security 3. Chapter 2 – Classical Encryption Techniques. - Apresentação do PowerPoint PPT.

Information Systems Security.

Information Systems Security. Business Continuity Planning Domain #6. Pieces of the BCP. Disaster Recovery Planning How to survive the disaster Emergency response responsibilities…

The Insider Threat.

To Information Systems.

Political Psychology Associates, Ltd.1.

In the information age, as we have become increasingly dependent upon complex information systems, there has been a focus on the vulnerability of these systems to computer crime and security attacks, exemplified by the work of the President’s Commission on Critical Infrastructure Protection. Because of the high-tech nature of these systems and the technological expertise required to develop and maintain them, it is not surprising that overwhelming attention has been devoted by experts to technological vulnerabilities and solutions.

Yet, as captured in the title of a 1993 conference sponsored by the Defense Personnel Security Research Center, Computer Crime: A Peopleware Problem , it is people who designed the systems, people who attack the systems, and understanding the psychology of information systems criminals is crucial to protecting those systems.2 A Management Information Systems (MIS) professional at a military facility learns she is going to be downsized. She decides to encrypt large parts of the organization's database and hold it hostage. She contacts the systems administrator responsible for the database and offers to decode the data for $10,000 in "severance pay" and a promise of no prosecution. He agrees to her terms before consulting with proper authorities. Prosecutors reviewing the case determine that the administrator's deal precludes them from pursuing charges. A postcard written by an enlisted man is discovered during the arrest of several members of a well-known hacker organization by the FBI. Writing from his military base where he serves as a computer specialist, he has inquired about establishing a relationship with the group. Investigation reveals the enlisted man to be a convicted hacker and former group member who had been offered a choice between prison and enlistment. While performing computer duties for the military, he is caught breaking into local phone systems. An engineer at an energy processing plant becomes angry with his new supervisor, a non-technical administrator. The engineer's wife is terminally ill, and he is on probation after a series of angry and disruptive episodes at work. After he is sent home, the engineering staff discovers that he has made a series of idiosyncratic modifications to plant controls and safety systems. In response to being confronted about these changes, the engineer decides to withhold the password, threatening the productivity and safety of the plant. At the regional headquarters of an international energy company, an MIS contractor effectively "captures" and closes off the UNIX-based telephonic switching system for the entire complex. Investigators discover that the contractor had been notified a week earlier that he was being terminated in part for chronic tardiness. Further investigation finds the employee to have two prior felony convictions and to be a member of a notorious hacker group under investigation by the FBI. The employee reports he is often up all night helping colleagues with their hacking techniques. Additional investigation reveals that he is the second convicted hacker hired at this site. An earlier case involved a former member of the Legion of Doom who had been serving as a member of a corporate information security team. He had been convicted of computer intrusion at a local phone company. Neither individual had disclosed their criminal history or had been subject to background checks sufficient to discover their past activities.

As these case summaries from the files of military and corporate security investigators demonstrate, growing reliance on information technology increases dependence on, and vulnerability to, those tasked with the design, maintenance and operation of these systems. These information technology specialists—operators, programmers, networking engineers, and systems administrators—hold positions of unprecedented importance and trust. Malevolent actions on the part of such an insider can have grave consequences. This is especially true for information technology specialists operating within the critical infrastructure as identified in the 1997 President's Commission on Critical Infrastructure Protection's final report.3.

These cases also demonstrate several points about the insider threat to the critical infrastructure. First, it is clear that insider problems already exist within the critical infrastructure, including the military, telecommunications, and energy sectors. Second, it appears that both inside and outside of our critical infrastructure, there is a tendency for managers to settle these problems quickly and quietly, avoiding adverse personal and organizational impacts and publicity. We do not really know how widespread the problems are. What is reported appears to be only the tip of the iceberg. Furthermore, we are at risk from repeat offenders, as perpetrators migrate from job to job, protected by the lack of background checks, constraints upon employers in providing references, and the lack of significant consequences for these offenses.

Finally, just as in organizations outside the critical infrastructure, the range of potential perpetrators and their motivations is broad. In many cases, acts of computer sabotage and extortion—like violence in the workplace—have been committed by disgruntled employees who are angry about lay-offs, transfers, and other perceived grievances. Other cases involve employees who take advantage of their position of trust for financial gain, hackers who are employed within the critical infrastructure caught engaging in unauthorized explorations, and "well-motivated" employees who claim they are acting in the best interest of their organizations.4 Other perpetrators include "moles," individuals who enter an organization with the explicit intent to commit espionage, fraud or embezzlement. Overall, case investigators report that the number of computer-related offenses committed by insiders is rising rapidly each year.

The extent of the insider threat has also been addressed in corporate and government survey results. According to WarRoom Research's 1996 Information Systems Security Survey, 62.9 percent of the companies surveyed reported insider misuse of their organization's computer systems. The Computer Security Institute’s 1998 Computer Crime Survey (conducted jointly with the FBI) reported the average cost of an outsider (hacker) penetration at $56,000, while the average insider attack cost a company $2.7 million. A comprehensive study conducted by the United Nations Commission on Crime and Criminal Justice which surveyed 3,000 Virtual Address Extension (VAX) sites in Canada, Europe and the United States, found that "By far, the greatest security threat came from employees or other people with access to the computers." While some researchers warn that survey data on computer crimes can be inaccurate due to unreported or undetected acts, such data are useful in characterizing a minimum level of threat and in drawing attention to the problem as a whole.

Paradoxically, in spite of the prevalence of the insider problem and the particular vulnerability of public and private infrastructures to the information technology specialist, there has been little systematic study of vulnerable insiders, while major investments are being devoted to devising technologies to detect and prevent external penetrations. Technological protection from external threats is indeed important, but human problems cannot be solved with technological solutions. Without a detailed examination of the insider problem and the development of new methods of insider risk management, such an unbalanced approach to information systems security leaves critical information systems vulnerable to fraud, espionage or sabotage by those who know the system best: the insiders.

Research in Progress.

In response to the increasing recognition of the dangers posed by the insider threat to information systems, Political Psychology Associates, Ltd., under the auspices of the Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence), have undertaken a study to improve understanding of the personality, motives and circumstances which contribute to information technology insider actions. By constructing psychological profiles of perpetrators and mapping their interactions with the organizational environment as they move over time toward the commission of violations, the goal of the study is to contribute to improvements in security, law enforcement and counter-intelligence policies and practices. Specific applications for improving screening, selection, monitoring and management of information technology specialists are a primary goal of this research. The findings will also have implications for case investigation, information assurance audits, red team exercises, and information warfare.

The Critical Information.

From the broad array of employees who have access to computers, we are focusing on the information technology specialists who design, maintain or manage critical information systems. Employees in this professional category are of particular concern because they possess the necessary skills and access to engage in serious abuse or harm. Typical jobs include systems administrators, systems programmers and operators and networking professionals. We are using the term Critical Information Technology Insiders (CITIs) to designate this professional category.5.

The employment context is critical for understanding the relationship between the information technology specialist and the organization. The "insider-outsider" dichotomy is oversimplified, for in fact there is a spectrum of relationships between information technology specialists and organizations, which differentially affect loyalty and motivation.

Within the spectrum of "insiders," information technology specialists may serve as regular (full-time or part-time) staff employees, contractors, consultants or temporary workers (temps). In modern business practice, partners and customers with system access are also a source of exposure. In addition, former employees often retain sufficient access to the organization to remain an "insider" threat. Moles, information technology specialists who enter an organization with the intent to harm, are excluded from the current effort because they are potentially very different subjects from a psychological standpoint and present different screening and management problems. In this study we are primarily concerned with information technology specialists who develop their intent to harm the organization after being hired.

Staff employees pose perhaps the greatest risk in terms of access and potential damage to critical information systems. As vetted members of the organization, employees are in a position of trust and are expected to have a vested interest in the productivity and success of the group. Considered "members of the family," they are often above suspicion—the last to be considered when systems malfunction or fail.

Among the several types of insider categories, organizations generally have the strongest influence and control over their own employees. To the extent that an employer is permitted by law to probe the background of a potential hire for security purposes, such investigations are much more likely to occur with prospective employees than with contractors, consultants, or temporary workers, whose roles in the organization are by design transient and who may or may not be vetted.

Employee CITIs who have caused damage have used their knowledge and access to information resources for a range of motives, including greed, revenge for perceived grievances, ego gratification, resolution of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns. Three case examples serve to illustrate the employee threat:

Example 1: A senior MIS specialist at an international energy firm regularly created outages at Company sites around the world so that he could spend time abroad while gaining attention for his technical expertise.

Example 2: Michael Lauffenberger, a 31-year old programmer for the General Dynamics Atlas Missile Program, reportedly felt unappreciated for his programming work on a parts-tracking system. He planted a "logic bomb" in the system designed to erase critical data after he resigned. He then anticipated returning to rescue the company as a highly paid and valued consultant.

Example 3: Regional PC manager for the King Soopers supermarket chain Jay Beaman and two clerks were charged in an intricate computer fraud that cost the supermarket over two million dollars over two years. The motives are described by investigators as beginning with financial necessity but quickly escalating into greed and ego. Among the strategies used was manipulating the computer accounting system to funnel certain purchases into a dummy account. At the end of the day, the perpetrators would take the amount funneled into the dummy account right out of the cash registers and then delete the account, also erasing any trace of their fraud.

In examples 1 and 2, the employees used their knowledge and access to a critical system to create crises, which would magnify their importance and worth within the organization. Jay Beaman was able to use his position to both commit and cover up his fraud, emphasizing the vulnerability of organizations to trusted employees.

Contractors, partners, consultants and temps are included as a category separate from employees because they are often not, in practice, subjected to the same screening and background checks. Moreover, a lesser degree of loyalty to the firm or agency would be anticipated. Many organizations within the critical infrastructure but outside the intelligence community have little control over the pre-employment procedures and hiring practices utilized by a contractor or consulting group. This is true even though contractors and consultants (and sometimes temps) often have highly privileged access to the organization's information assets due to the increase in outsourcing of programming and other information technology functions.

While the contracting organization is well within its rights to require contractors to screen the employees that will be working within the organization or provide a separate screening process for contracted employees, such steps are rarely taken, putting the organization at risk. The same goes for consultants and temps, though the transient nature of the consulting or temporary working relationship presents practical barriers to more rigid screening processes. The hiring of former hackers by some computer security consulting firms further increases the risk of security compromises. Employers have also consistently underestimated the ability of contractors and consultants to take advantage of even limited access to important systems.

Example 4: A major international energy company recently discovered a logic bomb in software created by a contracted employee. It was installed as "job insurance" by the contracted employee with five prior convictions related to hacking. The contractor's firm failed to screen this employee who installed the code in anticipation of using it as leverage against his employer in case his criminal record was discovered.

Example 5: Zhangyi Liu, a Chinese computer programmer working as a subcontractor for Litton/PRC Inc., illegally accessed sensitive Air Force information on combat readiness. He also copied passwords, which allow users to create, change or delete any file on the network, and posted them on the Internet.

Example 4 illustrates the problems posed by poor screening measures and the vulnerability of organizations outsourcing their information technology functions. Example 5 demonstrates the espionage threat posed by contractors, though the motivations of this particular perpetrator are not yet clear. It also emphasizes the complex issues of loyalty in an international environment.

Former employees include individuals who no longer work at an organization but retain access to information resources directly -- through "backdoors" -- or indirectly through former associates. Anticipating conflict with an employer, or even termination, these perpetrators may prepare backdoor access to the computer system, alternative passwords, or simply stockpile proprietary data for later use. The number of cases in which separated employees have returned to extract vengeance on their former employers indicates a need for improved management of the termination process. This is particularly the case in episodes involving large numbers of layoffs. Such reductions can result in a pool of disgruntled employees and former employees with access and motivation for vengeance.

Example 6: Donald Burleson, a computer programmer for USPA & IRA Co., a Fort Worth securities trading firm, designed a virus after being reprimanded for storing personal letters on his company computer. The virus was designed to erase portions of the Company's mainframe and then repeat the process if a predetermined value was not reset in a specific location. After being fired, Burleson used a duplicate set of keys to return to the facility at 3 a. m. and employ an unauthorized backdoor password to reenter the system and execute the virus.

Indispensable Role of the Insider.

It is important to note that the efforts of "outside" groups (including foreign interests) could be aided significantly by the assistance of parties within the organization with access to, and knowledge of, critical information systems. For certain secure, self-contained systems, the insider's access will prove indispensable. Whether the insider is recruited directly, indirectly (e. g. "false flag" recruitment), coerced through blackmail, or through "social engineering" is manipulated while unaware that he is providing assistance to an adversary, his collaboration is a tremendous force multiplier. The potential damage an insider can now commit has also been increased within the last decade by two related trends in information systems -- consolidation and, for all intents and purposes, the elimination of the need-to-know principle. These changes, designed to improve information sharing, have removed obstacles to hostile collection. The hostile, sophisticated information technology professional now has many more opportunities to enter and damage larger systems. These vulnerabilities led one government information technology specialist, who focuses on system security, to refer to many allegedly secure government databases as "single point of failure systems."

Example 7: On the programming staff of Ellery Systems, a Boulder Colorado software firm working on advanced distributive computing software, was a Chinese national who transferred, via the Internet, the firms entire proprietary source code to another Chinese national working in the Denver area. The software was then transferred to a Chinese company, Beijing Machinery. Ellery Systems was subsequently driven to bankruptcy by foreign competition directly attributed to the loss of the source code.

As illustrated by this case, the foreign connections of information technology specialists can increase their vulnerability to recruitment, manipulation, or independent hostile action.

Personal and Cultural Vulnerabilities.

Case studies and survey research indicate that there is a subset of information technology specialists who are especially vulnerable to emotional distress, disappointment, disgruntlement and consequent failures of judgment which can lead to an increased risk of damaging acts or vulnerability to recruitment or manipulation. Moreover, there are characteristics of the so-called "information culture" which contribute to this vulnerability. This report is not an attempt to cast suspicions on an entire professional category whose role in the modern computer-based economy has become so critical. However, we must better understand the motivations, psychological makeup, and danger signals associated with those insiders who do pose a threat to our information systems before we can really address this problem.

Reports of past research and our own findings based on interviews conducted so far, lead to the conclusion that there are several characteristics which, when found together, increase this vulnerability toward illegal or destructive behavior. These include: computer dependency, a history of personal and social frustrations (especially anger toward authority), ethical "flexibility," a mixed sense of loyalty, entitlement, and lack of empathy.

According to a 1991 study by Professor Kym Pocius, the psychological testing of over fifteen hundred computer programmers, systems analysts, programmer trainees, and computer science students in seven separate studies consistently found these groups to be "overwhelmingly represented by introverts." Introverts differ from extroverts in being oriented toward the inner world of concepts and ideas rather than the outer world of people. They enjoy being alone, prefer their own thoughts to conversation with others and may be socially unskilled. They also tend to be over-conscientious, secretive, pessimistic and critical. Authorities on the subject tell us that introverts are harder to distract than are extroverts, yet they are more reactive to external stimuli. According to H. J. Eysenck, a prominent personality psychologist, introverts tend to "shy away from the world while extroverts embrace it enthusiastically."

We wish to emphasize that, unlike the traits we are about to delineate, introversion is characteristic of computer technology specialists as a group, as well as scientists and other technology specialists. Indeed, some 40% of the overall population demonstrate this trait. One could not eliminate introverts from the ranks of computer technology specialists without eliminating the specialty. However, the preference for individual intellectual pursuits as opposed to interpersonal activity means that the signs of employee disaffection which would be apparent for extraverted employees may not be so readily visible. They may only occur, in fact, on-line, so the introvert poses challenges to management.

The following vulnerabilities have been identified in individuals who commit dangerous acts. They are associated with the vulnerable subgroup within computer technology specialists.

Surveys of computer professionals and computer science students indicate the presence of a subgroup whose entry into the field is motivated, in part, by frustrations getting along with others. According to a 1993 study by Professor R. Coldwell, this subgroup reports a history of conflicts and disappointments with family, peers and coworkers. They report preferring the predictability and structure of work with computers to the lack of predictability and frustrations of relationships with others. These experiences appear to have left them with a propensity for anger, especially toward authority figures. They also tend to be less socially skilled and more isolated than are their peers. Noting the high incidence of anger and alienation in these computer science students, Coldwell labeled it "revenge syndrome."

These traits create an increased vulnerability to feelings of alienation, disgruntlement, and disappointment on the job. Not only are such employees more likely to have innate antagonism for their supervisors, but they are less likely to trust and to deal directly with authorities when problems arise. In turn, these characteristics may also make some of these employees more vulnerable to recruitment and manipulation.

Two identified subgroups of computer users include individuals who exhibit an addictive-like attachment to their computer systems and those who manifest a similar attachment to the on-line experience offered by networks such as the Internet. Behavioral scientists studying these subgroups have found that they spend significantly more time on-line than is necessary for their work, frequently report losing any sense of the passage of time while on-line, and find that their on-line activities interfere significantly with their personal lives.

The "computer-addicted" individuals studied by researcher Margaret Shotten (1991) reported their primary interest as exploring networks, and viewed breaking security codes and hacking as honorable means of gaining emotional stimulation by challenging and beating security professionals. They did not consider pirating software unethical.

Computer dependents share a history of social failures and ostracization; and they admitted that the computer replaces direct interpersonal relationships. Their family histories include a high percentage of aloof, cool, and disinterested parents and authoritarian fathers. On formal psychological testing, this group contains a high percentage of well-informed, scientific, problem-solvers who enjoy intellectual pursuits. They are significantly more likely to be independent, self-motivated, aggressive loners, who make poor team players and feel entitled to be a law onto themselves. They reportedly tend to exhibit an unusual need to show initiative to compensate for underlying feelings of inadequacy.

Other researchers found that many members of the Internet-addicted subgroup are deeply involved in computer-mediated relationships, including role-playing games. For many introverted, less socially skilled individuals, their computer-mediated social contacts are the least anxiety arousing of their interpersonal experience. In some cases, the sense of self, experienced on-line, becomes greatly preferred to the experience of self in the real world. Correspondingly, the on-line relationships of these individuals can displace affections and loyalties from real world ties. Noting the power of these relationships, many mental health professionals have characterized them as therapeutic building blocks that can help some people make the transition to subsequent real world contacts. However, for other more vulnerable individuals, these on-line relationships may also constitute an avenue for influence, recruitment or manipulation with security implications.

Concerns have been raised about looser ethical boundaries within the so-called "information culture." Surveys in recent years of current computer professionals indicate the presence of a subgroup whose members do not object to acts of cracking, espionage and sabotage against information resources. This subgroup appears to maintain the position that if an electronic asset, such as a limited access file, is not sufficiently secure, then it is fair game for attack. A disturbing aspect of these findings is the association between decreased ethical constraints and youth, suggesting that this perspective may be shared increasingly among new and future employees.

A number of social phenomena have been cited by several researchers as contributing to this dangerous trend. Lack of specific computer-related ethical training and lack of regulations within organizations have been implicated as contributing to lax employee ethical attitudes. Lack of similar ethical training in schools and at home by parents also contributes to this cross-generational trend. The boundary ambiguities of cyberspace, especially the lack of face-to-face connection, may also insulate perpetrators from the impact of their acts. The idea that exploring and even copying others’ files inflicts no real damage has also been used to rationalize what would otherwise be considered privacy violations and theft in the outside world.

Finally, the computer industry has been implicated in the erosion of its own ethical standards. Some critics have suggested that the introduction of what they view as unrealistic and impractical restrictions on the use of purchased software produced contempt and disregard for these standards. Other critics suggest that the hiring and promotion of former hackers has sanctioned hacking and has even produced an incentive for this behavior.

Organizational loyalty among programmers and other professionals has been challenged increasingly by the high demand for their services and high rates of turnover in the profession. The resulting pressures to hire and retain computer professionals have also placed tremendous pressure on the security process.

Commenting on interviews with insider perpetrators of computer crime by the President's Council on Integrity and Efficiency, computer security expert Sanford Sherizan addressed the issue of distinct differences in programmer loyalty. Sherizan noted that there appear to be programmers who identify with the organization that pays them while others identify with the profession of programming itself. For these latter employees, their weak bond to the organization can lead to tensions in the workplace. Ambiguities about the "ownership" of intellectual properties in the form of source codes and other programs have also lead to a large number of conflicts between employers and computer professionals.

Our clinical investigations of vulnerable CITIs have consistently revealed two additional traits as risk factors, which have been alluded to but have not been emphasized. In assessments of CITI perpetrators from the energy and national security infrastructures, we have found that a sense of entitlement and anger at authority are consistent aspects of perpetrator motivation and personality.

A sense of entitlement, associated with the narcissistic personality, refers to the belief that one is special and owed corresponding recognition, privilege or exceptions from normal expectations. This sense of "specialness" is often associated with a self perception of gifts or talents which are unrecognized by others. The perception that this specialness is not being recognized by authority figures often combines with a pre-existing anger at authority to produce feelings in these individuals that they have been treated unjustly and are entitled to compensation or revenge. Often, this sense of entitlement is supported by special arrangements or exceptions to rules granted to highly valued but "temperamental" MIS employees. Thus employers actually reinforce this belief, up the ante, and contribute to what often becomes an inevitable crisis. The current shortage of information technology personnel may also influence feelings of entitlement among older information technology employees, who may resent special treatment and bonuses paid to new hires.

According to a 1991 report by psychologists Robert Raskin and Jill Novacek, individuals with these narcissistic tendencies who are under higher levels of daily stress are prone to "power and revenge fantasies in which they see themselves in a powerful position able to impose punishment on those who have wronged them."

Our clinical sample helps validate a concern expressed by Coldwell about a group of programmers and computer science students who he characterizes as suffering from "revenge syndrome." Interviewees in this group appeared to present very similar perspectives and motives. As one interviewee in the previous study commented, when asked how he might utilize the power he was acquiring with his knowledge of programming, "I'll be getting my own back on the society that screwed me up."

Disregard for the impact of their actions on others, or inability to appreciate these effects, has been a perpetrator characteristic noted consistently by investigators. It is also consistent with our clinical experience. Perhaps compounded by the impersonal layers of cyberspace, many computer perpetrators report never having considered the impact of their acts on other human beings. Many more appear incapable of placing themselves in their victim's shoes and imagining how the experience felt. This lack of empathy is a hallmark of individuals with narcissistic and anti-social personalities, and is consistent with the traits of reduced loyalty and ethical flexibility.

CITI Personal and Cultural Characteristics.

In summary, the research literature which we have surveyed identifies a coherent cluster of risk factors characteristic of a vulnerable subgroup of Critical Information Technology Insiders (CITIs). The negative personal and social experiences of a subgroup of information technology specialists tends to make them more vulnerable to experiencing the personal and professional frustrations which have been found to drive insider espionage and sabotage. Their social isolation and relative lack of social skills probably reduces the likelihood of their dealing with these feelings directly and constructively. Their reported vulnerability to ethical "flexibility," reduced loyalty to their employers, feelings of entitlement, anger at authority and lack of empathy probably reduces inhibitions against potentially damaging acts. At the same time, their loneliness, social naivetй and need to impress others may make them vulnerable to exploitation and manipulation.

The presence of any or all of these personal and cultural vulnerabilities does not, however, a perpetrator make. Indeed, it is more often the dynamic interaction between the vulnerable CITI’s personal psychology (including the vulnerabilities enumerated above) and the organizational and personal environment that leads the vulnerable CITI down a slippery slope, at the end of which an act of information system aggression occurs. These critical pathways -- plural, for there are no set routes for the path to deviant, antisocial behavior -- that a CITI perpetrator might travel are being defined and explored further in the course of our research program.

What we do know already is that there is a complex interplay of personal and cultural or environmental factors which, over time, funnel an individual toward insider actions and that an understanding of this critical pathway has implications for personnel screening, monitoring, case management, and training. We also know that predisposing traits and situational factors are only part of the problem. What might be called acute situational stressors such as marital or family problems, episodes of substance abuse, disappointments at work, threatened layoffs, or other stressful life events can trigger an emotional reaction leading to impaired judgment and reckless or vindictive behavior.

Impact of Intervention.

Nevertheless, there are also mitigating forces that appear to reduce the likelihood of committing such acts or defuse a specific threatening situation. Highest on the list of mitigating factors is effective intervention by supervisors, co-workers, family members and close friends. Intervention might lead to counseling, involvement with support groups, or medical assistance. It is essential, however, that those who might intervene recognize and respond to significant warning signs and symptoms.

A lucid description of the critical pathway to insider actions comes from Project Slammer , a major study of Americans convicted of espionage. Project Slammer mental health professionals conducted extensive interviews and formal psychological assessments with convicted perpetrators, most of whom were insiders. They also interviewed their coworkers, supervisors and families to identify not only the characteristics of perpetrators, but also the chain of events which led to their acts of treason. The results identified an interaction of factors, none of which alone was sufficient to result in an act of espionage. However, taken together and over time, these traits and experiences, common to many of the perpetrators, appear to have formed what we view as a common pathway to these acts. This pathway includes the following combination of events or "steps" which in some cases led to severe damage to national security: Predisposing Personal Traits An Acute Situational Stressor Emotional Fallout Biased Decision-making or Judgment Failures Failure of Peers and Supervisors to Intervene Effectively.

As noted above, outside intervention is a critical mitigating factor on the path to insider acts. Unfortunately, in the insider espionage cases examined, it was often absent. Peers often assumed supervisors or others were aware of, and attending to, the problem. Supervisors often ignored the employee's problems, not wanting to deal with difficult individuals or not wishing to risk losing a valued member of the team. Often they attempted to manage the problem without considering the security risks involved. Sometimes the problem was pushed aside by transferring or firing the employee. It is interesting to note that a significant number of espionage offenders commit their acts after leaving their organizations. Abrupt termination does not appear to be a productive way to eliminate the security threat posed by such at-risk employees. Other supervisors incorrectly assumed that psychological referrals or on-going mental health counseling automatically took care of the problem and eliminated the risk of insider acts without requiring other intervention.

In the cases of destructive and criminal acts by vulnerable CITIs that we have analyzed to date, we are seeing a similar pattern in the sequencing of events. In a number of cases evaluated so far, we are confronted with examples of management failure to notice the problem, to accept the fact that a problem exists, or a willingness to tolerate dangerous behavior due to a desire to retain the services of a valued, technically competent employee. These findings have several implications for personnel management:

The critical path model views the probability of insider acts as the product of the interaction between predisposing traits, situational stressors and the organizational environment. Initial screening of employees should therefore emphasize the collection of information regarding traits, past and current behaviors (especially a criminal records check), and circumstances indicative of risk that is specifically tailored to the profile of the vulnerable CITI. Behaviors particular to the world of the computer professional should be central to this inquiry. Furthermore, successful screening will require that human resources and information systems recruiters be sensitized to the factors contributing to CITI risk to guide them in the hiring process.

Overall, the three most common management errors we have noted regarding CITI offenders have been (1) the failure to understand the personality and motivation of the at-risk employee; (2) the failure to have clear, standardized rules governing the use of company information systems with explicit consequences for misuse; and (3) the failure to punish rule violations. These problems often result in inadequate or even aggravating rules of conduct when constructive relief would be possible. Without organizational rules of conduct, employees have no guide to right and wrong and supervisors have no recourse to consequences when clear violations are discovered.

The company may also be held liable for illegal acts committed by employees in the absence of a well-defined and supported code of ethics. Solutions include specialized training for IT (information technology) managers to facilitate recognition of vulnerable CITIs and the selection of proper intervention techniques. The implementation of a comprehensive compliance program is also essential and should include a well-defined code of ethical behavior and support for employees facing ethical dilemmas or with questions regarding company policy.

For reasons discussed above, computer professionals present significant management challenges. In particular, monitoring their psychological state for risk using conventional observations is extremely difficult. As noted earlier, a subset of these individuals are likely to be more vulnerable to work-related stressors, while at the same time be much less likely to display overt signs of distress, complicating detection and delaying appropriate intervention by IT managers.

Compounding this problem is the shift of work-based communications toward computer-mediated communications in the workforce, a trend vastly accelerated among IT professionals in general, especially among those CITIs who find e-mail or chat rooms their preferred channel for maintaining professional and personal relationships. The characteristics of the vulnerable CITI will inevitably require adapting traditional monitoring and intervention techniques to at-work electronic communications as the most effective means of understanding the psychological state and risk among these employees.

Innovative approaches for managing computer professionals include the creation of on-line environments designed to relieve work related stress by providing professional and constructive advice on dealing with problems in the office, e. g., on-line Employee Assistance Programs or job-stress hotlines. Electronic bulletin boards for logging anonymous complaints that can be monitored by management for purposes of addressing general grievances have also proven effective in some situations.

One approach to effectively manage at-risk employees whose behavior has raised concern is to monitor their at-work electronic communications. This can be effectively used to detect changes in psychological state which warn of increased risk of destructive acts. While this approach raises privacy concerns, legal precedent has generally upheld the right of the employer to monitor their employees’ use of company owned systems.

Finally, the critical path approach can also add a human element to the information security audit and its traditional emphasis on technological vulnerabilities and fixes. By reviewing the manner in which an organization selects, promotes, monitors, detects, manages and intervenes with problem CITIs, an investigator can gauge the organization’s general sensitivity to insider risk and provide constructive solutions to managing the insider problem.

Only by adapting a comprehensive approach applying technological and human factors to information security can an organization adequately protect itself from both the outside threat of hackers and the more serious threat posed by the disaffected insider.

1. This article is reprinted from Security Awareness Bulletin No. 2-98, published by Department of Defense Security Institute, September 1998. The research on which this article is based is part of a broader research program conducted by Political Psychology Associates, Ltd., for the Office of the Assistant Secretary of Defense (C3I).

2. Defense Personnel Security Research Center (PERSEREC) in Monterey, California, is now the Security Research Center of the Defense Security Service.

3. According to the PCCIP report, infrastructure is defined as "a network of independent, mostly privately-owned, man-made systems and processes that function collaboratively and synergistically to produce and distribute a continuous flow of essential goods and services." Critical components of the infrastructure, those affecting national security and the general welfare, include: transportation, oil and gas production and storage, water supply, emergency services, government services, banking and finance, electrical power, and information and communication infrastructures.

4. 0ur clinical experience indicates that seemingly simple cases of greed are rarely so simple when it comes to perpetrator motivation. Often there are other strong feelings and stressors behind the greed which complicate the motivational profile.

5. By definition, the term Critical Information Technology Insider (CITI) excludes the mass of end users who use computers as part of their jobs but for whom computers serve as a tool and not as a job in itself. While end users are associated with their own set of risks, we are specifically concerned with information technology specialists, whose job functions elevate them well above the average end-user in terms of skill, access and potential damage.

Home Security Systems & Services.

Home Security Cameras.

The best home security systems allow you to see inside or outside your home in real time from your computer, smartphone or tablet.

Wireless Home Security.

Easily install and expand the ADT home security system with wireless security.

Storm Safety.

Ensure the home security system continues to work even if your landlines are down due to a storm.

Remote Access.

Lock and unlock your doors from anywhere, and receive alerts when someone else uses the home security system.

Energy Management.

Control your thermostat from anywhere, anytime to better manage your heating and cooling usage.

Medical Alert.

The medical alert system in our home alarm security systems feature a two-way voice intercom system which immediately connects you with a real person.

I HELP KEEP THE PEACE AND HELP KEEP YOU IN CONTROL.

Think I’m only about home security? Pense de novo. From lights to locks to live video and everything in between, I help keep your home both safe and smart.

Home Security Systems - How ADT Works.

When an event is triggered through one of our home alarm security systems, every second counts. With six fully redundant Customer Monitoring Centers, you can count on us to deliver a fast response to you and the police.

STEP 1. ALARM TRIGGERED.

Set up an appointment and we'll help assess your security needs.

STEP 2. ADT RESPONSE.

When the home security systems alarm signal is received, a trained ADT Professional is there to respond quickly.

STEP 3. CALL FROM AN ADT REPRESENTATIVE.

This caring home security system professional will contact you to confirm whether you are okay or in need of assistance.

STEP 4. TAKING ACTION.

If you are in need of assistance, the ADT Representative will contact the police, fire department or other emergency personnel to request dispatch to your home as quickly as possible.

Home Security Systems - How ADT Works.

When an event is triggered through one of our home alarm security systems, every second counts. With six fully redundant Customer Monitoring Centers, you can count on us to deliver a fast response to you and the police.

STEP 1. ALARM TRIGGERED.

Set up an appointment and we'll help assess your security needs.

STEP 2. ADT RESPONSE.

When the home security systems alarm signal is received, a trained ADT Professional is there to respond quickly.

STEP 3. CALL FROM AN ADT REPRESENTATIVE.

This caring home security system professional will contact you to confirm whether you are okay or in need of assistance.

STEP 4. TAKING ACTION.

If you are in need of assistance, the ADT Representative will contact the police, fire department or other emergency personnel to request dispatch to your home as quickly as possible.

Our wireless home security systems are best known for monitoring against burglary and fire, but we also offer CO monitoring and flood detection, which can help with storm preparedness thanks to a water detection sensor.

Beyond our basic security, you should also look into our ADT Pulse® products. Our best home security systems include controls for lights, locks, live video, as well as remote temperature control, all accessible from our app.

Learn more about protecting your home with home security tips, or more about ADT in particular, using our home security resources. Discover how all of our home security systems account for home security basics like emergency preparedness, or see our home automation systems in action by watching our ADT Pulse® videos. Feel free to browse through our home automation resources page as well.

We also offer home health resources for homeowners with additional family safety concerns as part of our ADT Health service.

As a homeowner, you want a home security system designed for your needs. Protect your business as smartly as you would your home with ADT business security. All of our business security systems provide the basics: theft prevention, a business alarm system, remote access, business video surveillance and more.

The ADT Difference provides you with the top business automation services that will keep your business safe, smart and efficient. Watch the demo.

ADT is the #1 security company in the US. Besides our best home security systems, we also have a line of products for families specifically concerned about senior safety. Our three Medical Alert System options use medical bracelets and other medical alert devices to connect senior citizens directly to a support team that can send help immediately if anything happens.

ADT is the most trusted security company in the industry. Keeping you safe is our business. But don’t take our word for it; watch the ADT Lifesaver Testimonial Videos to hear real stories from real people who’ve had their lives and homes saved by ADT. Additionally, check out our ADT Pulse® app downloads to see exactly what technology we offer in terms of home safety. Our home alarm security systems are easy to use, but should any questions arise, you can download our ADT security manuals, check the ADT security FAQs page, or contact ADT directly. We keep your home secure 24/7 and aim to provide you with round-the-clock support as well through ADT customer service.

ADT home security is the most established and trusted in the industry. For over 140 years, we’ve made protecting and connecting the centerpiece of what we do.

We consider this commitment an ADT responsibility that goes into all of our home security monitoring systems, but also goes beyond that to placing a high value on ADT sustainability as well.

Even a brief look at our ADT history tells you a great deal about ADT, and further demonstrates our experience, expertise and values. These qualities are pervasive in our company. Our ADT directors and ADT corporate leadership are committed to upholding the ADT code of conduct and ADT ethics in everything that we do.

Our wireless home security systems are best known for monitoring against burglary and fire, but we also offer CO monitoring and flood detection, which can help with storm preparedness thanks to a water detection sensor.

Beyond our basic security, you should also look into our ADT Pulse® products. Our best home security systems include controls for lights, locks, live video, as well as remote temperature control, all accessible from our app.

Learn more about protecting your home with home security tips, or more about ADT in particular, using our home security resources. Discover how all of our home security systems account for home security basics like emergency preparedness, or see our home automation systems in action by watching our ADT Pulse® videos. Feel free to browse through our home automation resources page as well.

We also offer home health resources for homeowners with additional family safety concerns as part of our ADT Health service.

As a homeowner, you want a home security system designed for your needs. Protect your business as smartly as you would your home with ADT business security. All of our business security systems provide the basics: theft prevention, a business alarm system, remote access, business video surveillance and more.

The ADT Difference provides you with the top business automation services that will keep your business safe, smart and efficient. Watch the demo.

ADT is the #1 security company in the US. Besides our best home security systems, we also have a line of products for families specifically concerned about senior safety. Our three Medical Alert System options use medical bracelets and other medical alert devices to connect senior citizens directly to a support team that can send help immediately if anything happens.

ADT is the most trusted security company in the industry. Keeping you safe is our business. But don’t take our word for it; watch the ADT Lifesaver Testimonial Videos to hear real stories from real people who’ve had their lives and homes saved by ADT. Additionally, check out our ADT Pulse® app downloads to see exactly what technology we offer in terms of home safety. Our home alarm security systems are easy to use, but should any questions arise, you can download our ADT security manuals, check the ADT security FAQs page, or contact ADT directly. We keep your home secure 24/7 and aim to provide you with round-the-clock support as well through ADT customer service.

ADT home security is the most established and trusted in the industry. For over 140 years, we’ve made protecting and connecting the centerpiece of what we do.

We consider this commitment an ADT responsibility that goes into all of our home security monitoring systems, but also goes beyond that to placing a high value on ADT sustainability as well.

Even a brief look at our ADT history tells you a great deal about ADT, and further demonstrates our experience, expertise and values. These qualities are pervasive in our company. Our ADT directors and ADT corporate leadership are committed to upholding the ADT code of conduct and ADT ethics in everything that we do.

Get a Free Quote for ADT Security Today.

Fill out the form and an ADT Specialist will contact you at the phone number provided about ADT offers.

Get a Free Quote for ADT Security Today.

Fill out the form and an ADT Specialist will contact you at the phone number provided about ADT offers.

VAR Insider Activity (SEC Form 4)

Exibições da Lista de Símbolos.

Detalhes da ação.

NOTÍCIAS DA COMPANHIA.

ANÁLISE DE ACÇÃO.

FUNDAMENTOS.

Editar lista de símbolos.

Insira até 25 símbolos separados por vírgulas ou espaços na caixa de texto abaixo. Estes símbolos estarão disponíveis durante a sessão para uso nas páginas aplicáveis.

Não conhece o símbolo do estoque? Use a ferramenta de Pesquisa de Símbolos.

Alfabetizar a ordem de classificação dos meus símbolos.

Pesquisa de Símbolos.

Investir ficou mais fácil e # 8230;

Inscreva-se agora para se tornar um membro NASDAQ e começar a receber notificações instantâneas quando ocorrem eventos-chave que afetam os estoques que você segue.

Editar favoritos.

Insira até 25 símbolos separados por vírgulas ou espaços na caixa de texto abaixo. Estes símbolos estarão disponíveis durante a sessão para uso nas páginas aplicáveis.

Personalize sua experiência NASDAQ.

Selecione a cor de fundo da sua escolha:

Selecione uma página de destino padrão para sua pesquisa de cotação:

Confirme a sua seleção:

Você selecionou para alterar sua configuração padrão para a Pesquisa de orçamento. Esta será a sua página de destino padrão; a menos que você altere sua configuração novamente ou exclua seus cookies. Tem certeza de que deseja alterar suas configurações?

Desative seu bloqueador de anúncios (ou atualize suas configurações para garantir que o javascript e os cookies estejam habilitados), para que possamos continuar fornecendo as novidades do mercado de primeira linha e os dados que você esperou de nós.