Enterprise information security policy assessment - an extended framework for metrics development utilising the goal-question-metric approach

Effective enterprise information security policy management requires review and assessment activities to ensure information security policies are aligned with business goals and objectives. As security policy management involves the elements of policy development process and the security policy as output, the context for security policy assessment requires goal-based metrics for these two elements. However, the current security management assessment methods only provide checklist types of assessment that are predefined by industry best practices and do not allow for developing specific goal-based metrics. Utilizing theories drawn from literature, this paper proposes the Enterprise Information Security Policy Assessment approach that expands on the Goal-Question-Metric (GQM) approach. The proposed assessment approach is then applied in a case scenario example to illustrate a practical application. It is shown that the proposed framework addresses the requirement for developing assessment metrics and allows for the concurrent undertaking of process-based and product-based assessment. Recommendations for further research activities include the conduct of empirical research to validate the propositions and the practical application of the proposed assessment approach in case studies to provide opportunities to introduce further enhancements to the approach

Vulnerabilities and responsibilities: dealing with monsters in computer security

Purpose – The purpose of this paper is to analyze information security assessment in terms of cultural categories and virtue ethics, in order to explain the cultural origin of certain types of security vulnerabilities, as well as to enable a proactive attitude towards preventing such vulnerabilities.\ud \ud Design/methodology/approach – Vulnerabilities in information security are compared to the concept of “monster” introduced by Martijntje Smits in philosophy of technology. The applicability of different strategies for dealing with monsters to information security is discussed, and the strategies are linked to attitudes in virtue ethics.\ud \ud Findings – It is concluded that the present approach can form the basis for dealing proactively with unknown future vulnerabilities in information security.\ud \ud Research limitations/implications – The research presented here does not define a stepwise approach for implementation of the recommended strategy in practice. This is future work.\ud \ud Practical implications – The results of this paper enable computer experts to rethink their attitude towards security threats, thereby reshaping their practices.\ud \ud Originality/value – This paper provides an alternative anthropological framework for descriptive and normative analysis of information security problems, which does not rely on the objectivity of risk

Comparison of the Efficiency of Budget Financing and the Social Security of a Region

The article deals with theoretical and economic aspects of the “security” category and draws a distinction between philosophical, sociological, and economic approaches to the concept of social security. From the perspective of a system approach, the authors define the place of the region’s social security in ensuring national security. The article describes the theoretical content of the «social security» category and provides the authors’ specification for such terms as «social risks,» «danger,» and «threat.» The authors offer methodological tools to evaluate the region’s social security based on a complex assessment of the region’s socioeconomic and budget-financing indicators to identify the risks (deviations) and factors of inefficient financing. The proposed methodological approach is based on identifying the dependencies between the social and financial security of the region. The following indicators reflecting the social security level in the territory of residence were selected as estimated indicators: the region’s consolidated budget income and expenses, gross domestic product growth rates, natural population growth ratio, unemployment level, the share of the population with income below the subsistence minimum. This approach was tested by the example of the Perm Territory and Sverdlovsk Region revealing the regularities as well as favorable and unfavorable periods for the region’s social security. The obtained estimated indicators are ranked depending on the growth (fall) time lag, resilience, and sensitivity to budget financing. The assessment results show that the Perm Territory has been entering a deep recession in terms of national security since 2012. Similar tendencies are demonstrated by the Sverdlovsk Region; however, in view of the apparent diversity and dominant influence of the Perm Territory and the Sverdlovsk Region on the socioeconomic development of the Privolzhsky and Ural Federal Districts, respectively, the provided comparison is of scientific and practical interest.The research has been supported by the Grant of the Russian Science Foundation (the Project № 14–18–00574 "Anticrisis Information Analysis System: Diagnostics of Regions, Threat Assessment, and Scenario Forecasting to Maintain and Strengthen the Economic Security and Welfare of Russia")

Measuring information security governance within general medical practice

Information security is becoming increasingly important within the Australian general medical practice environment as legal and accreditation compliance is being enforced. Using a literature review, approaches to measuring information security governance were analysed for their potential suitability and use within General Practice for the effective protection of confidential information. The models, frameworks and guidelines selected were analysed to evaluate if they were Key Performance Indicator (KPI), or process driven; whether the approach taken was strategic, tactical or operational; and if governance or management assessment tools were presented. To measure information security governance, and be both effective and practical, the approach to be utilised within General Practice would need to function at an operational level and be KPI driven. Eight of the 29 approaches identified, were deemed to be applicable for measuring information security governance within the General Practice environment. However, further analysis indicated that these measurement approaches were either too complex to be directly implemented into General Practice, or collected self-assessment security data rather than actual security measurements. The literature review presented in this paper establishes the need for further research to develop an approach for measuring information security governance within General Practice

Risk-Based Approach in the Self-Assessment of Nuclear Security Culture for Users of Radioactive Sources

The current emphasis on the need to protect radioactive sources from being used for malicious purposes makes it imperative to explore and shape an appropriate culture-based response. Promoting a robust security culture is consistent with the international legal instruments and standards including the Code of Conduct for the Safety and Security of Radioactive Sources and IAEA guidance publications. This promotion would be dependent upon the successful implementation of relevant self-assessment tools and a series of culture indicators, both of which would serve as benchmarks to take a culture’s measure and identify practical ways to improve security. This approach must adjust the generic IAEA model and self-assessment methodology for nuclear security culture in order to accommodate the specific requirements in operation when using radioactive sources. Though the IAEA’s concept of security culture and its self-assessment recommendations are designed to be generic in order to apply to a wide range of facilities and activities, the modifications proposed in this paper are needed to make those recommendations more user friendly and consistent with the security risks and requirements. The distinct features of the proposed recommendations, to be reflected in the new design of security culture, can be summarized as: continued prevalence of safety orientation, application in diverse work environments, multiple and inter-modal transport, integration of host organizations into overall security regime, mobile and portable operation, limited security awareness and resources, and disposal challenges. These special features also justify a differentiated approach to security culture inside organizations licensed to use radioactive sources. More frequent and more concerted efforts, including training and self-assessment, are expected to focus on a select group of employees who have direct relationships with radioactive sources (e.g. management teams, security personnel, operational staff, technicians and others). For other employees, efforts would be made concurrently to engage them in the process of raising security awareness, a less proactive endeavor than the development of security culture. The proposed differentiation is a targeted approach designed to make time and resource investment in training and culture assessment commensurate with specific roles and responsibilities of individuals. This risk-based approach can facilitate a more robust and sustainable security regime for radioactive sources throughout their life cycle, i.e. from cradle to grave

Towards Vulnerability Discovery Using Staged Program Analysis

Eliminating vulnerabilities from low-level code is vital for securing software. Static analysis is a promising approach for discovering vulnerabilities since it can provide developers early feedback on the code they write. But, it presents multiple challenges not the least of which is understanding what makes a bug exploitable and conveying this information to the developer. In this paper, we present the design and implementation of a practical vulnerability assessment framework, called Melange. Melange performs data and control flow analysis to diagnose potential security bugs, and outputs well-formatted bug reports that help developers understand and fix security bugs. Based on the intuition that real-world vulnerabilities manifest themselves across multiple parts of a program, Melange performs both local and global analyses. To scale up to large programs, global analysis is demand-driven. Our prototype detects multiple vulnerability classes in C and C++ code including type confusion, and garbage memory reads. We have evaluated Melange extensively. Our case studies show that Melange scales up to large codebases such as Chromium, is easy-to-use, and most importantly, capable of discovering vulnerabilities in real-world code. Our findings indicate that static analysis is a viable reinforcement to the software testing tool set.Comment: A revised version to appear in the proceedings of the 13th conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 201

Inter-vulnerability of financial institutions and households in the system of national financial security assessment

Purpose: The aim of this article is to study the concept of financial institutions and households' interrelation of vulnerabilities to the risk of money laundering and the integration of this concept into the methodology of a national ML/TF (Money Laundering and Terrorist Financing) risk assessment. Design/Methodology/Approach: At the theoretical and methodological levels, authors utilized a risk-based approach, which involves the separation of the object of study in risk levels and its impact on each risk level. At the methodological and analytical levels, authors utilized methods of grouping, descriptive analysis, comparison, synthesis, and graphic visualization of data. Findings: The most significant scientific results obtained in the course of the study include: proprietary algorithm for calculating the intensity coefficient of threats to national financial security, which practical approval on data of 27 countries allowed determining the structure of threats to financial security in the international landscape in the period 2013-2018; originally developed questionnaire on the assessment of the risks of deviations in the financial behavior of households and individuals. Originality/Value: The key findings are targeted at their widespread application in assessing money laundering risks at the national and international levels, in developing strategic documents on the development of systems to fight money laundering and terrorist financing. The methodology for identifying the propensity to deviations of financial behavior, based on a questionnaire survey, could serve as the basis for developing scoring systems.The research was supported by Russian Foundation for Basic Research # 18-010-00657.peer-reviewe

An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture

Purpose: Employee behaviour is a continuous concern owing to the number of information security incidents resulting from employee behaviour. The aim of this research is to propose an approach to information security culture change management that integrates existing change management approaches, such as the ADKAR model of Prosci, and the Information Security Culture Assessment (ISCA) diagnostic instrument (questionnaire), to aid in addressing the risk of employee behaviour that could compromise information security. Design/methodology/approach: The Information Security Culture Change Management (ISCCM) approach is constructed based on literature and the inclusion of the ISCA diagnostic instrument. The ISCA diagnostic instrument statements are also presented in this paper. The ISCCM approach using ISCA is illustrated using data from an empirical study. Findings: The ISCCM approach was found to be useful in defining change management interventions for organisations using the data of the ISCA survey. Employees’ perception and acceptance of change to ensure information security and the effectiveness of the information security training initiatives improved significantly from the as-is survey to the follow-up survey. Research limitations/implications: The research illustrates the ISCCM approach and shows how it should be combined with the ISCA diagnostic instrument. Future research will focus on including a qualitative assessment of information security culture to complement the empirical data. Practical implications: Organisations do not have to rely on or adapt organisational development approaches to change their information security culture – they can use the proposed ISCCM approach, which has been customised from information security and change management approaches, together with the presented ISCA questionnaire, to address information security culture change purposefully. Originality/value: The proposed ISCCM approach can be applied to complement existing information security management approaches through a holistic and structured approach that combines the ADKAR model, Prosci’s approach of change management and the ISCA diagnostic instrument. It will enable organisations to focus on transitioning to a positive or desired information security culture that mitigates the risk of the human element in the protection of information.School of Computin