Trade Secret Law and Information Systems: Can Your Students Keep a Secret?

The impact of intellectual property (IP) law on information systems (IS) professionals in business cannot be overstated. The IS 2010 model curriculum guidelines for undergraduate IS programs stress the importance of information security and knowledge about IP. While copyright and patents are the most well-known types of IP, another, trade secrets, which involve confidential information generated by business to secure financial success, poses a unique challenge partly because IS professionals are often less familiar with trade secrets as a form of IP. Just as important is the crucial role IS plays in actually creating trade secrets. Information must not only be vital and proprietary but also its secrecy must be actively protected and maintained against data security challenges, including unethical behavior by disgruntled employees, corporate espionage, and inadvertent disclosure. Failure to do so results in a determination that information is not legally a protected trade secret. Unlike copyrights and patents, information cannot publically be designated as a trade secret prior to a challenge. Instead, organizations must prove the information is actually a trade secret. Critical to this proof are processes and internal systems businesses use to maintain information secrecy, which determine whether legal remedies exist if the trade secret is wrongfully divulged. This paper discusses trade secret law, methods used to secure trade secrets, and the role of IS in supporting and/or developing those methods. A class exercise provides IS students with insights into trade secret law and acceptable, ethical conduct of IS professionals who protect trade secrets

Factors Influencing Support for Insider Threat Behaviours: Anger Rumination, Job Satisfaction, Right-Wing Authoritarianism and Depression/Anxiety

The research on insider threats is largely limited to reactive security measures, with little consideration given to the psychological profile of insider threats and those that support these types of attacks against different industries and government bodies. In two studies, we examined the roles of anger rumination, job satisfaction, depression/anxiety, and right-wing authoritarianism as predictors of insider threats. In Study 1, we considered the role of anger rumination and job satisfaction as predictors of support for insider threat activities as presented through scenarios. As predicted, results indicated that both variables were strong predictors of organisational resentment and insider threat justification, with anger rumination also acting as a predictor of insider threat proclivity. In Study 2, we examined right-wing authoritarianism and depression/anxiety as predictors of insider threats. A multiple regression analysis revealed that right-wing authoritarianism negatively correlated with support for insider threats. There was no significant relationship between either depression and/or anxiety when considering support for insider threat activities. These findings suggest that a lack of authoritarian tendencies may play a role in justifying insider threat behaviours, whereas depression and anxiety do not appear to have a direct influence

Secure entity authentication

According to Wikipedia, authentication is the act of confirming the truth of an attribute of a single piece of a datum claimed true by an entity. Specifically, entity authentication is the process by which an agent in a distributed system gains confidence in the identity of a communicating partner (Bellare et al.). Legacy password authentication is still the most popular one, however, it suffers from many limitations, such as hacking through social engineering techniques, dictionary attack or database leak. To address the security concerns in legacy password-based authentication, many new authentication factors are introduced, such as PINs (Personal Identification Numbers) delivered through out-of-band channels, human biometrics and hardware tokens. However, each of these authentication factors has its own inherent weaknesses and security limitations. For example, phishing is still effective even when using out-of-band-channels to deliver PINs (Personal Identification Numbers). In this dissertation, three types of secure entity authentication schemes are developed to alleviate the weaknesses and limitations of existing authentication mechanisms: (1) End user authentication scheme based on Network Round-Trip Time (NRTT) to complement location based authentication mechanisms; (2) Apache Hadoop authentication mechanism based on Trusted Platform Module (TPM) technology; and (3) Web server authentication mechanism for phishing detection with a new detection factor NRTT. In the first work, a new authentication factor based on NRTT is presented. Two research challenges (i.e., the secure measurement of NRTT and the network instabilities) are addressed to show that NRTT can be used to uniquely and securely identify login locations and hence can support location-based web authentication mechanisms. The experiments and analysis show that NRTT has superior usability, deploy-ability, security, and performance properties compared to the state-of-the-art web authentication factors. In the second work, departing from the Kerb eros-centric approach, an authentication framework for Hadoop that utilizes Trusted Platform Module (TPM) technology is proposed. It is proven that pushing the security down to the hardware level in conjunction with software techniques provides better protection over software only solutions. The proposed approach provides significant security guarantees against insider threats, which manipulate the execution environment without the consent of legitimate clients. Extensive experiments are conducted to validate the performance and the security properties of the proposed approach. Moreover, the correctness and the security guarantees are formally proved via Burrows-Abadi-Needham (BAN) logic. In the third work, together with a phishing victim identification algorithm, NRTT is used as a new phishing detection feature to improve the detection accuracy of existing phishing detection approaches. The state-of-art phishing detection methods fall into two categories: heuristics and blacklist. The experiments show that the combination of NRTT with existing heuristics can improve the overall detection accuracy while maintaining a low false positive rate. In the future, to develop a more robust and efficient phishing detection scheme, it is paramount for phishing detection approaches to carefully select the features that strike the right balance between detection accuracy and robustness in the face of potential manipulations. In addition, leveraging Deep Learning (DL) algorithms to improve the performance of phishing detection schemes could be a viable alternative to traditional machine learning algorithms (e.g., SVM, LR), especially when handling complex and large scale datasets

CPA\u27s handbook of fraud and commercial crime prevention

https://egrove.olemiss.edu/aicpa_guides/1820/thumbnail.jp

Faculty Perspectives - Fall 2016

This issue features summaries of recent scholarship by Bernadette Atuahene, William Birdthistle, Sungjoon Cho, Henry H. Perritt, Jr. Also inside: an excerpt from a forthcoming article by A. Dan Tarlock.https://scholarship.kentlaw.iit.edu/fac_perspectives/1006/thumbnail.jp

Faculty Perspectives - Fall 2016

This issue features summaries of recent scholarship by Bernadette Atuahene, William Birdthistle, Sungjoon Cho, Henry H. Perritt, Jr. Also inside: an excerpt from a forthcoming article by A. Dan Tarlock.https://scholarship.kentlaw.iit.edu/fac_perspectives/1006/thumbnail.jp

Self-adaptive Authorisation Infrastructures

Traditional approaches in access control rely on immutable criteria in which to decide and award access. These approaches are limited, notably when handling changes in an organisation’s protected resources, resulting in the inability to accommodate the dynamic aspects of risk at runtime. An example of such risk is a user abusing their privileged access to perform insider attacks. This thesis proposes self-adaptive authorisation, an approach that enables dynamic access control. A framework for developing self-adaptive authorisation is defined, where autonomic controllers are deployed within legacy based authorisation infrastructures to enable the runtime management of access control. Essential to the approach is the use of models and model driven engineering (MDE). Models enable a controller to abstract from the authorisation infrastructure it seeks to control, reason about state, and provide assurances over change to access. For example, a modelled state of access may represent an active access control policy. Given the diverse nature in implementations of authorisation infrastructures, MDE enables the creation and transformation of such models, whereby assets (e.g., policies) can be automatically generated and deployed at runtime. A prototype of the framework was developed, whereby management of access control is focused on the mitigation of abuse of access rights. The prototype implements a feedback loop to monitor an authorisation infrastructure in terms of modelling the state of access control and user behaviour, analyse potential solutions for handling malicious behaviour, and act upon the infrastructure to control future access control decisions. The framework was evaluated against mitigation of simulated insider attacks, involving the abuse of access rights governed by access control methodologies. In addition, to investigate the framework’s approach in a diverse and unpredictable environment, a live experiment was conducted. This evaluated the mitigation of abuse performed by real users as well as demonstrating the consequence of self-adaptation through observation of user response