I want to classify data based on their importance, and secure them based on that classification. My question, is there a difference between data importance and their security level. To me, the more important data become , the more security level they need, so the relation between data's importance and their level of security is direct relationship. Is there a way that data could be important but do not need to be secure. In other words, can the relationship between data importance and its security level become separate of each other in the concept of security area. e.g : (very important but insecure). Please note I am talking about the concept, not technically. If the answer yes, Can you please give an example?
Thank you for your cooperation.
Well, it hard to find an example where data, which is highly important to a entity(person or organization) is kept without lock and key.
Having interest in "human element in information security" and going through all the evidences (both literature and empirical data) so far, I have not come across a single example where a person says that he has kept his most valuable and important piece of information openly. There is always a mechanism to protect it, even if it is flawed one. However, perceived importance, perceived security and perceived privacy, all are highly contextual in nature. One important piece of information may not be important to other. Similarly, one person's highest security level (level 5 for example) may be level 2 for the other. Therefore, it is very important to understand the factors that could enable grouping of people having same understanding of perceived importance and perceived security measures. Individual factors (age, gender, education), cultural factors and personality related factors become very relevant in this regard.
I am not sure if you are examining the concept of data importance and security level in context of individuals or organization or network data (as you have used the term WSN).
Thank you Ali for your reply. I am trying to understand this in the context of network data. I agree with what you mentioned above. Yes you are right, certain security level for one application might be different for other applications, however this can be managed by the classification's criteria. Every entity can classify data based on their importance to them, but at the end their level of security should be associated with their importance. Hence, data classified as high important should be assigned to top secret level. Consequently, the relationship is still direct between the importance of data and their security level. I know it is a bit confusing, but I am curious whether there is another scenario which data can be important for an application and their security level could be low.
Hi Sultan,
I think in this case you need to differentiate between different security features. For example: Encryption, integrity and authentication. Some data might be very important but it does not necessary mean that it should be encrypted. Instead, it needs another security feature: Authentication.
Imagine your WSN is measuring temperature and sending this information to another entity. In this case, the information about the temperature is very important, but in most cases it does not need to be encrypted (there is no problem if someone reads the data about temperature from your network). However, it is very important that the data is not modified on its way. That is, the integrity of the data is important. Also, it is very important to know where the measurement of temperature comes from: That is, the data needs to be authenticated.
To summarise, if you consider 'secrecy' as the measure of security of your data, the temperature will be important but can be insecure.
Hope it helped.
Jhordany
Hi Jhordany,
Thank you for your valuable reply. It clarifies the difference between data importance and its security level. So we can say they are related to each other in general, but there is exception such as what you mentioned in your reply. Data can be important but does not require encryption. So it does need to be authenticated and valid, but not encrypted, when there is no need for confidentiality.
Yes, you are right. Happy to know it helped you. I would say that all important data needs to be secured. However, security has several components and sometimes for some important data, some security components are not required. All the best!
I think most of the replies have answered your question, but it is fairly straight forward to think about important data as more vulnerable to attacks and therefore will need appropriate measures of security.
- Badges
- Science topic