ISRAM: information security risk analysis method

Continuously changing nature of technological environment has been enforcing to revise the process of information security risk analysis accordingly. A number of quantitative and qualitative risk analysis methods have been proposed by researchers and vendors. The purpose of these methods is to analyze today\u27s information security risks properly. Some of these methods are supported by a software package. In this study, a survey based quantitative approach is proposed to analyze security risks of information technologies by taking current necessities into consideration. The new method is named as Information Security Risk Analysis Method (ISRAM). Case study has shown that ISRAM yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization

A Novel Approach to Information Security Risk Analysis

A number of risk analysis methods became obsolete because of the profound changes in information technologies. Revolutionary changes in information technologies have converted many risk analysis methods into inconsistent, long lasting and expensive instruments. Therefore, risk analysis methods should be adaptively modified or redesigned according to the changes in information technologies, so that they meet the information security requirements of the organizations. By taking these requirements into consideration, a survey based approach is proposed for analyzing the risks of information technologies. This new method is named as Risk Analysis Method for Information Security (RAMIS). A case study is conducted to show the steps of RAMIS in detail and to obtain the risk results. To verify the results of the case study, simulation is performed based on the real statistical data. The results of simulation showed that RAMIS yields consistent results in a reasonable time period by allowing the participation of the manager and staff of the organization

Management of security information in the security industry

Incidents, threats and vulnerabilities have the potential to negatively affect an organisation’s assets. Information on these incidents, threats and vulnerabilities are important to security. It is therefore necessary for this security information to be effectively and efficiently managed, so that correct decisions may be made on the implementation of security risk control measures. This study explored the management of security information in the security industry by undertaking the following: • establishing the “status quo” of the collection and analysis of security information and the implementation of security risk control measures in practice; • identifying the nature and extent of problems experienced in the collection and analysis of security information and the implementation of security risk control measures; and the • discovery of a new Security Information Management Model (SIMM). Mixed methods research was used to study the management of security information in the security industry. The explorative research design was used for this purpose. Semi-structured and focus group interviews were conducted with senior security managers and operational security officers, respectively. The grounded theory research design was used to analyse the qualitative data in order to generate a substantive grounded theory. The theory is that security officers operate without a standardised framework to manage security information. The data from the semi-structured and the focus group interviews were used to design a questionnaire to conduct a survey using the quantitative approach. The non-experimental research design was used to conduct this self-administered questionnaire survey. The data from this questionnaire survey helped validate and confirm the substantive grounded theory. The study found that there was the need for a Security Information Management Model to manage security information in the security industry. Based on this finding the researcher recommended a new Security Information Management Model for the management of security information in the security industry.Criminology and Security ScienceD. Litt. et Phil. (Criminology

Cyber Supply Chain Risks in Cloud Computing - Bridging the Risk Assessment Gap

Cloud computing represents a significant paradigm shift in the delivery of information technology (IT) services. The rapid growth of the cloud and the increasing security concerns associated with the delivery of cloud services has led many researchers to study cloud risks and risk assessments. Some of these studies highlight the inability of current risk assessments to cope with the dynamic nature of the cloud, a gap we believe is as a result of the lack of consideration for the inherent risk of the supply chain. This paper, therefore, describes the cloud supply chain and investigates the effect of supply chain transparency in conducting a comprehensive risk assessment. We conducted an industry survey to gauge stakeholder awareness of supply chain risks, seeking to find out the risk assessment methods commonly used, factors that hindered a comprehensive evaluation and how the current state-of-the-art can be improved. The analysis of the survey dataset showed the lack of flexibility of the popular qualitative assessment methods in coping with the risks associated with the dynamic supply chain of cloud services, typically made up of an average of eight suppliers. To address these gaps, we propose a Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, a quantitative risk assessment model which is supported by decision support analysis and supply chain mapping in the identification, analysis and evaluation of cloud risks

Paper Session IV: Development and Delivery of Coursework - The Legal/Regulatory/Policy Environment of Cyberforensics

This paper describes a cyber-forensics course that integrates important public policy and legal issues as well as relevant forensic techniques. Cyber-forensics refers to the amalgam of multi-disciplinary activities involved in the identification, gathering, handling, custody, use and security of electronic files and records, involving expertise from the forensic domain, and which produces evidence useful in the proof of facts for both commercial and legal activities. The legal and regulatory environment in which electronic discovery takes place is of critical importance to cyber-forensics experts because the legal process imposes both constraints and opportunities for the effective use of evidence gathered through cyber-forensic techniques. This paper discusses different pedagogies that can be used (including project teams, research and writing assignments, student presentations, case analyses, class activities and participation and examinations), evaluation methods, problem-based learning approaches and critical thinking analysis. A survey and evaluation is provided of the growing body of applicable print and online materials that can be utilized. Target populations for such a course includes students with majors, minors or supporting elective coursework in law, information sciences, information technology, computer science, computer engineering, financial fraud, security and information assurance, forensic aspects of cyber security, privacy, and electronic commerce. Keywords: Cyberforensics; Electronic Data Discovery; Electronic Records Management; Pre-Trial Discovery; Admissibility of Electronic Evidence; Information Assurance, Security and Risk Analysi

Life expectancy inequalities in the elderly by socioeconomic status. Evidence from Italy

Background: life expectancy considerably increased in most developed countries during the twentieth century. However, the increase in longevity is neither uniform nor random across individuals belonging to various socioeconomic groups. From an economic policy perspective, the difference in mortality by socioeconomic conditions challenges the fairness of the social security systems. We focus on the case of Italy and aim at measuring differences in longevity at older ages by individuals belonging to different socioeconomic groups, also in order to assess the effective fairness of the Italian public pension system, which is based on a notional defined contribution (NDC) benefit computation formula, whose rules do not take into account individual heterogeneity in expected longevity. Methods: We use a longitudinal dataset that matches survey data on individual features recorded in the Italian module of the EU-SILC, with information on the whole working life and until death collected in the administrative archives managed by the Italian National Social Security Institute. In more detail, we follow until 2009 a sample of 11,281 individuals aged at least 60 in 2005. We use survival analysis and measure the influence of a number of events experienced in the labor market and individual characteristics on mortality. Furthermore, through Kaplan- Meier simulations of hypothetical social groups, adjusted by a Brass relational model, we estimate and compare differences in life expectancy of individuals belonging to different socioeconomic groups. Results: Our findings confirm that socioeconomic status strongly predicts life expectancy even in old age. All Estimated models show that the prevalent type of working activity before retirement is significantly associated with the risk of death, even when controlling for dozens of variables as proxies of individual demographic and socioeconomic characteristics. The risk of death for self-employed individuals is 26% lower than that of employees, and life expectancy at 60 differs by five years between individuals with opposite socioeconomic statuses. Conclusions: our study is the first that links results based on a micro survival analysis on subgroups of the elderly population with results related to the entire Italian population. The extreme differences in mortality risks by socioeconomic status found in our study confirm the existence of large health inequalities and strongly question the fairness of the Italian public pension system

An Exploration of Wireless Networking and the Management of Associated Security Risk

The rapid expansion of wireless information technology (IT) coupled with a dramatic increase in security breaches forces organizations to develop comprehensive strategies for managing security risks. The problem addressed was the identification of security risk management practices and human errors of IT administrators, putting the organization at risk for external security intrusion. The purpose of this non-experimental quantitative study was to investigate and determine the security risk assessment practices used by IT administrators to protect the confidentiality and integrity of the organization\u27s information. The research questions focused on whether the security risk management practices of IT administrators met or exceeded the minimally accepted practices and standards for wireless networking. The security risk assessment and management model established the theoretical framework. The sample was 114 participants from small to medium IT organizations comprised of security engineers, managers, and end users. Data collection was via an online survey. Data analysis included both descriptive and inferential statistical methods. The results revealed that greater than 80% of participants conducted appropriate risk management and review assessments. This study underscored the need for a more comprehensive approach to managing IT security risks. IT managers can use the outcome of this study as a benchmark for evaluating their current risk assessment procedures. Experiencing security breaches in organizations may be inevitable. However, when organizations and industry leaders can greatly reduce the cost of a data breach by developing effective risk management plans that lead to better security outcomes, positive social change can be realized

The Employee-Based Information Security Risks on the Example of the Estonian Literary Museum

Infoturbest rääkides peetakse inimest kõige nõrgemaks lüliks ning seetõttu on väga oluline, et tal oleksid vajalikud oskused ja teadmised info turvalisuse tagamiseks. Käesolev magistritöö uurib töötajatest tulenevaid infoturbe riske Eesti Kirjandusmuuseumi näitel. Uurimismeetoditena kasutati küsitlust, intervjuusid ning asutuse dokumente. Infoturbe riskide leidmise teoreetiliseks aluseks oli infosüsteemide turvameetmete süsteem ISKE ning riskianalüüsi juhend ETO-dele (elutähtsa teenuse osutajatele). Töötajate infoturbe riskide analüüsi tulemusena tuvastati asutuses leiduvad töötajatega seotud riskid ning ISKE meetmeid kasutades anti ühtlasi juhtkonnale soovitusi, kuidas leitud riskide tõenäosust vähendada.People are considered to be the weakest link when it comes to information security and therefore it is very important to have the sufficient skills and knowledge to ensure the security of information. This Master’s thesis examines the employee-based risks on the example of the Estonian Literary Museum. Research methods were a survey, interviews and the documents of the institution. The theoretical basis for finding the information security risks were the IT Security Baseline System ISKE and a guide for compiling a risk analysis for the Critical Service Providers (CSP). As a result of the analysis of employee-based information security risks, the risks were identified in the institution, and recommendations were given to the management with the ISKE measures to reduce the likelihood of the identified risks

Factors affecting public access defibrillator placement decisions in the United Kingdom: A survey study

AIM: This study aimed to understand current community PAD placement strategies and identify factors which influence PAD placement decision-making in the United Kingdom (UK). METHODS: Individuals, groups and organisations involved in PAD placement in the UK were invited to participate in an online survey collecting demographic information, facilitators and barriers to community PAD placement and information used to decide where a PAD is installed in their experiences. Survey responses were analysed through descriptive statistical analysis and thematic analysis. RESULTS: There were 106 included responses. Distance from another PAD (66%) and availability of a power source (63%) were most frequently used when respondents are deciding where best to install a PAD and historical occurrence of cardiac arrest (29%) was used the least. Three main themes were identified influencing PAD placement: (i) the relationship between the community and PADs emphasising community engagement to create buy-in; (ii) practical barriers and facilitators to PAD placement including securing consent, powering the cabinet, accessibility, security, funding, and guardianship; and (iii) ‘risk assessment’ methods to estimate the need for PADs including areas of high footfall, population density and type, areas experiencing health inequalities, areas with delayed ambulance response and current PAD provision. CONCLUSION: Decision-makers want to install PADs in locations that maximise impact and benefit to the community, but this can be constrained by numerous social and infrastructural factors. The best location to install a PAD depends on local context; work is required to determine how to overcome barriers to optimal community PAD placement